A security bug affecting the newest core package, accounts-2fa, requires your attention.

Meteor developers already using this package should be aware of a recently discovered security vulnerability. This only applies to apps that used the package with Meteor 2.7, and it is fixed in 2.7.1. Also, only users that already have 2FA enabled could be affected by the vulnerability.


One of our core developers, Zodern, found and reported a NoSQL Injection problem in the function .has2faEnabled, one of the new methods exposed by the package accounts-2fa. This function received anything as a parameter and used it to do a query in the user collection, meaning that data could be extracted, but just for users with 2FA enabled.


The vulnerability would allow things like being able to check if 2FA is enabled for any user, getting a list of all users that have 2FA enabled, getting data from a user’s document if they had 2fa enabled, or doing a denial of service attack on the Mongo database.

So the first thing you may want to check is if you have any user in your database that has 2FA enabled. This query should fetch those users:

db.users.find({ “services.twoFactorAuthentication.type”: “otp” })

If this query doesn’t return anything, you don’t need to worry. Just go to the Applying the solution to your app part.

But in case it does, you may want to check if the vulnerability was exploited. One way to do it is to verify if the method has2faEnabled was called a very large number of times. In order to extract any information, this method would have to be called many times.


The solution for this was pretty simple. As this function was always meant to be used with a logged user, all we had to do was stop receiving a selector and use Meteor.user() instead.

Applying the solution to your app

If you’re already using this package, make sure to update your Meteor version to 2.7.1 with meteor update –release 2.7.1. The package’s versions should now be 2.0.1. You can check that on .meteor/versions.


Meteor believes in responsible disclosure of security vulnerabilities. We respect the hard work of security researchers who privately notify us with vulnerability details and appreciate the time they provide us time to address and resolve vulnerabilities prior to disclosing them publicly.

Credit for the discovery of this vulnerability goes to Zodern, who reported this issue to Meteor.

Please contact [email protected] to report a vulnerability in Meteor.

NoSQL Injection in the accounts-2fa package was originally published in Meteor Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Leave a Reply

Your email address will not be published.