Last modified: 2013-04-22 16:16:44 UTC
When a user wants to disable the two-factor authentication, he/she needs to supply a valid token to verify the request. However, OATH does not verify the token value provided by the user – the token is just passed from SpecialOATH::tryDisableSubmit to OATHUser::disable, probably assuming the latter verifies it. Which it does not, OATHUser::disable just disables the two-factor authentication, without paying any attention to the passed token.
Patch committed to Gerrit as If5f6bc33.
Thanks for the bug report and fix. It's merged in!