Should invalidate password reset links when a user changes their primary email address

Bug #1577251 reported by Aaron Wells on 2016-05-01
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Low
Unassigned
15.04
Low
Unassigned
15.10
Low
Unassigned
16.04
Low
Unassigned
16.10
Low
Unassigned

Bug Description

As reported to us through the mahara.org security bug email address, by Sajibe kanti.

When a user completes the "Forgot password?" password reset process, we delete any remaining password reset links for that user. However, we do not delete these if a user changes their primary email address. As the initial email points out, that could lead to an attack like this:

1. Attacker compromises victim's Mahara account (without changing victim's password).
2. Attacker changes their account's primary email address to the attacker's email address.
3. Attacker uses "Forgot password" page to request a password reset email. They don't immediately use the link in the password reset email; instead they store it for later.
4. Victim realizes their Mahara account is compromised, and logs in to their account.
5. Victim attempts to secure their account by changing their password (through account settings page), and changing their primary email address back to their own.

Expected result: The attacker is locked out of the victim's Mahara account

Actual result: The attacker uses their stored password reset email to change the user's password and re-gain access to their account.

We could help reduce this attack vector, by deleting any outstanding password reset emails for a user, when the user updates their account's primary email address. We should probably also delete any outstanding password reset emails for a user, when they change their account password through the account settings page. It may be worth considering other situations where password reset emails should be deleted, as well.

CVE References

Aaron Wells (u-aaronw) wrote :

Setting priority to "Low" because this vulnerability is of limited use:

1. This vulnerability only helps an attacker who has already compromised the victim's Mahara account. It does not offer a means to compromise an account on its own.

2. This attack doesn't allow for an ongoing cycle of compromises. Once used, the attacker will have changed the victim's password, which will lead the victim to use the "Forgot password" page themselves, which deletes all other password reset emails for the user. So, the attacker can only use this once.

3. Mahara password reset emails are only valid for 24 hours. So this method can't be used to re-compromise the account days later when the victim has become less suspicious.

Reviewed: https://reviews.mahara.org/7066
Committed: https://git.mahara.org/mahara/mahara/commit/6cfb0274081b55dade4edb526a2db580b15dc2c4
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 6cfb0274081b55dade4edb526a2db580b15dc2c4
Author: Robert Lyon <email address hidden>
Date: Tue Oct 4 13:54:44 2016 +1300

Bug 1577251: Delete password requests when changing primary email

behatnotneeded

Change-Id: I63080b651e08e8e747a891e9f7f2283bfecb72f1
Signed-off-by: Robert Lyon <email address hidden>

Reviewed: https://reviews.mahara.org/7164
Committed: https://git.mahara.org/mahara/mahara/commit/4a51beb36d4bfb0619024b2917c4e103eb0bae30
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.10_STABLE

commit 4a51beb36d4bfb0619024b2917c4e103eb0bae30
Author: Robert Lyon <email address hidden>
Date: Tue Oct 4 13:54:44 2016 +1300

Bug 1577251: Delete password requests when changing primary email

behatnotneeded

Change-Id: I63080b651e08e8e747a891e9f7f2283bfecb72f1
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 6cfb0274081b55dade4edb526a2db580b15dc2c4)

Mahara Bot (dev-mahara) wrote :

Patch for "15.10_STABLE" branch: https://reviews.mahara.org/7166

Mahara Bot (dev-mahara) wrote :

Patch for "15.04_STABLE" branch: https://reviews.mahara.org/7167

Reviewed: https://reviews.mahara.org/7167
Committed: https://git.mahara.org/mahara/mahara/commit/fe6087caa0c3b9e4abe4386c8afa329d42631389
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.04_STABLE

commit fe6087caa0c3b9e4abe4386c8afa329d42631389
Author: Robert Lyon <email address hidden>
Date: Tue Oct 4 13:54:44 2016 +1300

Bug 1577251: Delete password requests when changing primary email

behatnotneeded

Change-Id: I63080b651e08e8e747a891e9f7f2283bfecb72f1
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 6cfb0274081b55dade4edb526a2db580b15dc2c4)
(cherry picked from commit 4a51beb36d4bfb0619024b2917c4e103eb0bae30)

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/7166
Committed: https://git.mahara.org/mahara/mahara/commit/e715a9ed7ff6d23f98620e8452ec5b483ae1e4ac
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.10_STABLE

commit e715a9ed7ff6d23f98620e8452ec5b483ae1e4ac
Author: Robert Lyon <email address hidden>
Date: Tue Oct 4 13:54:44 2016 +1300

Bug 1577251: Delete password requests when changing primary email

behatnotneeded

Change-Id: I63080b651e08e8e747a891e9f7f2283bfecb72f1
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 6cfb0274081b55dade4edb526a2db580b15dc2c4)
(cherry picked from commit 4a51beb36d4bfb0619024b2917c4e103eb0bae30)

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/7165
Committed: https://git.mahara.org/mahara/mahara/commit/ed4cc088716d9e52b4110952ec9dc7590364192f
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.04_STABLE

commit ed4cc088716d9e52b4110952ec9dc7590364192f
Author: Robert Lyon <email address hidden>
Date: Tue Oct 4 13:54:44 2016 +1300

Bug 1577251: Delete password requests when changing primary email

behatnotneeded

Change-Id: I63080b651e08e8e747a891e9f7f2283bfecb72f1
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 6cfb0274081b55dade4edb526a2db580b15dc2c4)
(cherry picked from commit 4a51beb36d4bfb0619024b2917c4e103eb0bae30)

Robert Lyon (robertl-9) on 2016-10-21
Changed in mahara:
milestone: 16.10.0 → none
Robert Lyon (robertl-9) on 2016-10-25
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers