Password can be changed with only cookie authentication

Bug #829836 reported by William Grant
286
This bug affects 6 people
Affects Status Importance Assigned to Milestone
Canonical SSO provider
Fix Released
High
Tom Wardill

Bug Description

SSO permits me to change my password without asking for the old one. This is pretty universally regarded as seriously bad practice.

Related branches

Changed in canonical-identity-provider:
status: New → Confirmed
importance: Undecided → High
visibility: private → public
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I agree, best practices dictate that changing your password is something that should reauthenticate you to prevent malicious apps or scripts from silently changing it.

Revision history for this message
Andy Whitcroft (apw) wrote :

I would add that if you have 2-factor turned on for always that a full 2-factor auth should be required.

Revision history for this message
Andy Whitcroft (apw) wrote :

There is a freshness factor in SSO requests, you can request that the user confirm their password via the "openid.pape.max_auth_age=0" option on the request. This is intended for confirmation that the user is really there now such as might be done before allowing any updates to private information or configuration.

Revision history for this message
Stuart Metcalfe (stuartmetcalfe) wrote :

openid.pape.max_auth_age=0 is used to force re-entry of passwords as part of an openid request. SSO itself doesn't use openid to authenticate users when editing their account so can't be used in this context. We need to add a current password field (and relevant checks) to the change password form, possibly also splitting that functionality out into a separate page.

Tom Wardill (twom)
Changed in canonical-identity-provider:
assignee: nobody → Tom Wardill (twom)
Changed in canonical-identity-provider:
status: Confirmed → In Progress
Tom Wardill (twom)
Changed in canonical-identity-provider:
status: In Progress → Fix Committed
Tom Wardill (twom)
Changed in canonical-identity-provider:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.