Page MenuHomePhabricator
Differential D10206

Don't send reset links to unverified addresses on accounts with verified addresses
ClosedPublic
Actions

Authored by epriestley on Aug 9 2014, 9:08 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Aug 26, 7:49 AM
Unknown Object (File)
Sun, Aug 25, 12:48 PM
Unknown Object (File)
Sun, Aug 18, 7:11 PM
Unknown Object (File)
Sun, Aug 18, 2:02 PM
Unknown Object (File)
Wed, Aug 14, 9:18 PM
Unknown Object (File)
Sun, Aug 4, 3:38 PM
Unknown Object (File)
Jul 24 2024, 7:01 AM
Unknown Object (File)
Jul 18 2024, 4:20 PM
View All Files
Subscribers
epriestley

Details

Reviewers
btrahan
Commits
Restricted Diffusion Commit
rP6232e9676cd4: Don't send reset links to unverified addresses on accounts with verified…
Summary

Via HackerOne. If a user adds an email address and typos it, entering alinculne@gmailo.com, and it happens to be a valid address which an evil user controls, the evil user can request a password reset and compromise the account.

This strains the imagination, but we can implement a better behavior cheaply.

  • If an account has any verified addresses, only send to verified addresses.
  • If an account has no verified addresses (e.g., is a new account), send to any address.

We've also received several reports about reset links not being destroyed as aggressively as researchers expect. While there's no specific scenario where this does any harm, revoke all outstanding reset tokens when a reset link is used to improve the signal/noise ratio of the reporting channel.

Test Plan
  • Tried to send a reset link to an unverified address on an account with a verified address (got new error).
  • Tried to send a reset link to a verified adddress on an account with a verified address (got email).
  • Tried to send a reset link to an invalid address (got old error).
  • Tried to send a reset link to an unverified address on an account with only unverified addresses -- a new user (got email).
  • Requested several reset links, used one, verified all the others were revoked.

Diff Detail

Repository
rP Phabricator
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

epriestley updated this revision to Diff 24563.Aug 9 2014, 9:08 PM
epriestley retitled this revision from to Don't send reset links to unverified addresses on accounts with verified addresses.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: btrahan.
Herald added a subscriber: epriestley. · View Herald TranscriptAug 9 2014, 9:08 PM
Harbormaster completed remote builds in B2136: Diff 24563.Aug 9 2014, 9:09 PM
btrahan accepted this revision.Aug 11 2014, 6:25 PM
btrahan edited edge metadata.
This revision is now accepted and ready to land.Aug 11 2014, 6:25 PM
epriestley closed this revision.Aug 11 2014, 7:13 PM
epriestley updated this revision to Diff 24595.

Closed by commit rP6232e9676cd4 (authored by @epriestley).

Revision Contents
Changeset List

PathSize
src/
applications/
auth/
controller/
13 lines
20 lines

Diff 24595

View Options

src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php

Loading...
View Options

src/applications/auth/controller/PhabricatorEmailLoginController.php

Loading...
Phabricator · Built by Phacility