Advertisement:

Author Topic: Issues with password reset mechanism  (Read 4746 times)

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,980
    • StoryBB/StoryBB on GitHub
Issues with password reset mechanism
« on: August 16, 2013, 10:04:45 AM »
This isn't strictly a security vulnerability, but there are issues with the password reset mechanism.

1) Can be hammered by bots.
There's no CAPTCHA or *anything* involved here. This has two sets of consequences, potentially... firstly it means users get tons of email when bots start causing trouble and secondly in the worst cases it can see a site be flagged as a spammer.

2) There's no expiry time.
The link generated in the email is valid for an indefinite period. It should only last 24 hours or so, there's not really much reason to leave it valid longer than that.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline CoreISP

  • Server Admin
  • Server Team
  • SMF Super Hero
  • *
  • Posts: 18,091
  • Gender: Male
  • Liroy van Hoewijk
    • coreisp on GitHub
    • liroyvh on LinkedIn
    • @liroyvh on Twitter
Re: Issues with password reset mechanism
« Reply #1 on: August 16, 2013, 10:17:42 AM »
3.) It tells you whether or not the email exists in the database
And that, I do consider a potential vulnerability to be honest :P
« Last Edit: August 16, 2013, 11:28:36 AM by CoreISP »
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,980
    • StoryBB/StoryBB on GitHub
Re: Issues with password reset mechanism
« Reply #2 on: August 16, 2013, 10:19:46 AM »
That's also true, yes, it gives you a magic method to validate email addresses, and yes that is a legitimate vulnerability of sorts - however on the other hand, it does cross the 'security vs usability' line, there is a valid argument that giving users better feedback is more usable even if it is less secure.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline CoreISP

  • Server Admin
  • Server Team
  • SMF Super Hero
  • *
  • Posts: 18,091
  • Gender: Male
  • Liroy van Hoewijk
    • coreisp on GitHub
    • liroyvh on LinkedIn
    • @liroyvh on Twitter
Re: Issues with password reset mechanism
« Reply #3 on: August 16, 2013, 10:34:14 AM »
Yeah that's certainly true. Where do you draw the line? It's absolutely no lie that it might be annoying if you have multiple email addresses and you have no idea which one you registered with. Although... IIRC (it's been a while o0) you can request a password reset using your username which kinda solves that issue.
Just noticed it has been used to scan for accounts to compromise. :(
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,980
    • StoryBB/StoryBB on GitHub
Re: Issues with password reset mechanism
« Reply #4 on: August 16, 2013, 10:35:37 AM »
Quote
IIRC (it's been a while o0) you can request a password reset using your username which kinda solves that issue.

Correct.

Quote
Just noticed it has been used to scan for accounts to compromise.

Yeah, we've noticed much the same thing elsewhere (which is what prompted me to raise it)
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline emanuele

  • SMF Super Hero
  • *******
  • Posts: 14,156
  • Gender: Male
  • THERE'S JUST ME
Re: Issues with password reset mechanism
« Reply #5 on: August 16, 2013, 03:53:46 PM »
Moved to bug reports so it's easier to find. :P


Take a peek at what I'm doing! ;D



Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,980
    • StoryBB/StoryBB on GitHub
Re: Issues with password reset mechanism
« Reply #6 on: August 16, 2013, 03:55:05 PM »
I personally didn't consider them bugs as such but it's all good.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.