Homec4science

Fix some security issues with email password resets

Authored by epriestley <git@epriestley.com> on Jan 27 2014, 22:20.

Description

Fix some security issues with email password resets

Summary:
Via HackerOne, there are two related low-severity issues with this workflow:

  • We don't check if you're already logged in, so an attacker can trick a victim (whether they're logged in or not) into clicking a reset link for an account the attacker controls (maybe via an invisible iframe) and log the user in under a different account.
  • We don't check CSRF tokens either, so after fixing the first thing, an attacker can still trick a logged-out victim in the same way.

It's not really clear that doing this opens up any significant attacks afterward, but both of these behaviors aren't good.

I'll probably land this for audit in a few hours if @btrahan doesn't have a chance to take a look at it since he's probably on a plane for most of the day, I'm pretty confident it doesn't break anything.

Test Plan:

  • As a logged-in user, clicked another user's password reset link and was not logged in.
  • As a logged-out user, clicked a password reset link and needed to submit a form to complete the workflow.

Reviewers: btrahan

CC: chad, btrahan, aran

Differential Revision: https://secure.phabricator.com/D8079

Details

Committed
epriestley <git@epriestley.com>Jan 28 2014, 01:53
Pushed
aubortJan 31 2017, 17:16
Parents
rPH3fd20e4725b6: Leafy vegetables.
Branches
Unknown
Tags
Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPH152f05aebed0: Fix some security issues with email password resets (authored by epriestley <git@epriestley.com>).Jan 28 2014, 01:53