News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Issues with password reset mechanism

Started by Arantor, August 16, 2013, 10:04:45 AM

Previous topic - Next topic

Arantor

This isn't strictly a security vulnerability, but there are issues with the password reset mechanism.

1) Can be hammered by bots.
There's no CAPTCHA or *anything* involved here. This has two sets of consequences, potentially... firstly it means users get tons of email when bots start causing trouble and secondly in the worst cases it can see a site be flagged as a spammer.

2) There's no expiry time.
The link generated in the email is valid for an indefinite period. It should only last 24 hours or so, there's not really much reason to leave it valid longer than that.

LiroyvH

#1
3.) It tells you whether or not the email exists in the database
And that, I do consider a potential vulnerability to be honest :P
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Arantor

That's also true, yes, it gives you a magic method to validate email addresses, and yes that is a legitimate vulnerability of sorts - however on the other hand, it does cross the 'security vs usability' line, there is a valid argument that giving users better feedback is more usable even if it is less secure.

LiroyvH

Yeah that's certainly true. Where do you draw the line? It's absolutely no lie that it might be annoying if you have multiple email addresses and you have no idea which one you registered with. Although... IIRC (it's been a while o0) you can request a password reset using your username which kinda solves that issue.
Just noticed it has been used to scan for accounts to compromise. :(
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Arantor

QuoteIIRC (it's been a while o0) you can request a password reset using your username which kinda solves that issue.

Correct.

QuoteJust noticed it has been used to scan for accounts to compromise.

Yeah, we've noticed much the same thing elsewhere (which is what prompted me to raise it)

emanuele

Moved to bug reports so it's easier to find. :P


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

Arantor

I personally didn't consider them bugs as such but it's all good.

Advertisement: