HomePhabricator

Fix some security issues with email password resets

Description

Fix some security issues with email password resets

Summary:
Via HackerOne, there are two related low-severity issues with this workflow:

  • We don't check if you're already logged in, so an attacker can trick a victim (whether they're logged in or not) into clicking a reset link for an account the attacker controls (maybe via an invisible iframe) and log the user in under a different account.
  • We don't check CSRF tokens either, so after fixing the first thing, an attacker can still trick a logged-out victim in the same way.

It's not really clear that doing this opens up any significant attacks afterward, but both of these behaviors aren't good.

I'll probably land this for audit in a few hours if @btrahan doesn't have a chance to take a look at it since he's probably on a plane for most of the day, I'm pretty confident it doesn't break anything.

Test Plan:

  • As a logged-in user, clicked another user's password reset link and was not logged in.
  • As a logged-out user, clicked a password reset link and needed to submit a form to complete the workflow.

Reviewers: btrahan

CC: chad, btrahan, aran

Differential Revision: https://secure.phabricator.com/D8079

Details

Provenance
epriestleyAuthored on
epriestleyPushed on Jan 28 2014, 12:53 AM
Differential Revision
D8079: Fix some security issues with email password resets
Parents
rP3fd20e4725b6: Leafy vegetables.
Branches
Unknown
Tags
Unknown

Event Timeline