This release contains security-related updates. All users should immediately update
Security Updates:
Previous versions contained an issue with verifyChallenge, where in certain situations a challenge solved for User A could be used in place of a challenge solved by User B. This issue could render MFA useless in applicable situations. This vulnerability does not apply to logging in.
This vulnerability applies to:
- Reset Password
- Use of
MFA.verifyChallenge, where the userId returned byMFA.verifyChallengeis not validated to be the same asthis.userId.
Breaking Changes:
MFA.verifyChallenge's arguments now take the format(userId, type, connectionHash, solvedChallenge)