** Changed in: mahara/16.10
       Status: In Progress => Fix Committed

** Changed in: mahara/16.04
       Status: Confirmed => In Progress

** Changed in: mahara/15.10
       Status: Confirmed => In Progress

** Changed in: mahara/15.04
       Status: Confirmed => In Progress

You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask 
on #mahara-dev or mahara.org forum before editing or unsubscribing it!

  Should invalidate password reset links when a user changes their
  primary email address

Status in Mahara:
  Fix Committed
Status in Mahara 15.04 series:
  In Progress
Status in Mahara 15.10 series:
  In Progress
Status in Mahara 16.04 series:
  In Progress
Status in Mahara 16.10 series:
  Fix Committed

Bug description:
  As reported to us through the mahara.org security bug email address,
  by Sajibe kanti.

  When a user completes the "Forgot password?" password reset process,
  we delete any remaining password reset links for that user. However,
  we do not delete these if a user changes their primary email address.
  As the initial email points out, that could lead to an attack like

  1. Attacker compromises victim's Mahara account (without changing victim's 
  2. Attacker changes their account's primary email address to the attacker's 
email address.
  3. Attacker uses "Forgot password" page to request a password reset email. 
They don't immediately use the link in the password reset email; instead they 
store it for later.
  4. Victim realizes their Mahara account is compromised, and logs in to their 
  5. Victim attempts to secure their account by changing their password 
(through account settings page), and changing their primary email address back 
to their own.

  Expected result: The attacker is locked out of the victim's Mahara

  Actual result: The attacker uses their stored password reset email to
  change the user's password and re-gain access to their account.

  We could help reduce this attack vector, by deleting any outstanding password 
reset emails for a user, when the user updates their account's primary email 
address. We should probably also delete any outstanding password reset emails 
for a user, when they change their account password through the account 
settings page. It may be worth considering other situations where password 
reset emails should be deleted, as well.

To manage notifications about this bug go to:

Mailing list: https://launchpad.net/~mahara-contributors
Post to     : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help   : https://help.launchpad.net/ListHelp

Reply via email to