Details
-
Bug
-
Resolution: Timed out
-
Low
Description
When I sign in to a third-party website using Bitbucket, it seems to forget the final redirect destination now that I have 2-Factor-Authentication turned on. Instead of ending up back at the third-party website, I end up in Bitbucket.
I've tested this in incognito/private mode in both Chrome and Firefox, and the results are consistently the same.
If I go to a specific URL (such as "https://bitbucket.org/my-account/my-repo") when not logged in, enter my login credentials, but enter the wrong 2FA code first, even if I then on the 2nd try enter the right 2FA code, I simply get redirected to "https://bitbucket.org/", not the page I was trying to reach.
If I do all that but enter the correct 2FA code on the first try, then it successfully redirects me to the page I was trying to reach.
Given that, it seems that the original redirect target is being lost if the user enters an incorrect 2FA code.