mahara-contributors team mailing list archive

Thread
Date

[Bug 1577251] Re: Should invalidate password reset links when a user changes their primary email address

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Aaron Wells <1577251@xxxxxxxxxxxxxxxxxx>
Date: Sun, 01 May 2016 23:37:23 -0000
Reply-to: Bug 1577251 <1577251@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Setting priority to "Low" because this vulnerability is of limited use:

1. This vulnerability only helps an attacker who has already compromised
the victim's Mahara account. It does not offer a means to compromise an
account on its own.

2. This attack doesn't allow for an ongoing cycle of compromises. Once
used, the attacker will have changed the victim's password, which will
lead the victim to use the "Forgot password" page themselves, which
deletes all other password reset emails for the user. So, the attacker
can only use this once.

3. Mahara password reset emails are only valid for 24 hours. So this
method can't be used to re-compromise the account days later when the
victim has become less suspicious.

--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1577251

Title:
Should invalidate password reset links when a user changes their
primary email address

Status in Mahara:
Confirmed
Status in Mahara 15.04 series:
Confirmed
Status in Mahara 15.10 series:
Confirmed
Status in Mahara 16.04 series:
Confirmed
Status in Mahara 16.10 series:
Confirmed

Bug description:
As reported to us through the mahara.org security bug email address,
by Sajibe kanti.

When a user completes the "Forgot password?" password reset process,
we delete any remaining password reset links for that user. However,
we do not delete these if a user changes their primary email address.
As the initial email points out, that could lead to an attack like
this:

1. Attacker compromises victim's Mahara account (without changing victim's password).
2. Attacker changes their account's primary email address to the attacker's email address.
3. Attacker uses "Forgot password" page to request a password reset email. They don't immediately use the link in the password reset email; instead they store it for later.
4. Victim realizes their Mahara account is compromised, and logs in to their account.
5. Victim attempts to secure their account by changing their password (through account settings page), and changing their primary email address back to their own.

Expected result: The attacker is locked out of the victim's Mahara
account

Actual result: The attacker uses their stored password reset email to
change the user's password and re-gain access to their account.

We could help reduce this attack vector, by deleting any outstanding password reset emails for a user, when the user updates their account's primary email address. We should probably also delete any outstanding password reset emails for a user, when they change their account password through the account settings page. It may be worth considering other situations where password reset emails should be deleted, as well.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1577251/+subscriptions

References

[Bug 1577251] [NEW] Should invalidate password reset links when a user changes their primary email address
From: Aaron Wells, 2016-05-01