Closed
Bug 1045767
Opened 10 years ago
Closed 10 years ago
password reset not reset if email changed before use
Categories
(Bugzilla :: User Accounts, defect)
Bugzilla
User Accounts
Tracking
()
RESOLVED
INVALID
People
(Reporter: curtisk, Unassigned)
References
Details
(Whiteboard: [site:bugzilla.mozilla.org][reporter-external])
Subject: Vulnerability Category- Broken Authentication and Session Management (leads to account compromise if some conditions are met) From: Dushyant Sahu <sahu.dissu@gmail.com> To: security@mozilla.org -----//----- Hi, Hope you are good! Host :- https://bugzilla.mozilla.org Steps to repro: 1) Create a account on https://bugzilla.mozilla.org having email address "a@x.com". 2) Now Logout and ask for password reset link. Don't use the password reset link. 3) Login using the same password back and update your email address to "b@x.com" and verify the same. 4) Now logout and use the password reset link which was mailed to "a@x.com" in step 2. 5) Password will be changed. All previous password reset links should automatically expire once a user changes his email address. Please let me know if this can be fixed. Best Regards Dushyant Sahu
Reporter | ||
Updated•10 years ago
|
Flags: sec-bounty?
Whiteboard: [site:bugzilla.mozilla.org][reporter-external]
Reporter | ||
Comment 1•10 years ago
|
||
The ability to exploit this seems like a longshot to me. You would have to have the bugzilla credentials to do step 3 already and likely have control of one or both of the email accounts. As such I think this is sec-low but will solicit for other input.
Assignee: nobody → user-accounts
Component: Administration → User Accounts
Product: bugzilla.mozilla.org → Bugzilla
QA Contact: default-qa
Version: Production → unspecified
Comment 3•10 years ago
|
||
This is not a bug. The password change request is tied to an account (an internal user ID), not tied to an email address. When user X changes his email address, he is still user X, and so there is no reason to invalidate his password change request.
Comment 4•10 years ago
|
||
when user change the password all old password reset session should be expire automatically but it is not happning here session management bug.. you can see clearly
Comment 5•10 years ago
|
||
you know i reported to google or microsoft this same they accepted as medium session management bug
Comment 6•10 years ago
|
||
I agree with Frédéric, it is not a bug as such. You can't use this method to hijack an account, without having access to the a@x.com's e-mail address, and if that was the case, you could change the e-mail address and then the password anyway. Having said that, I think it would be a good idea to expire password change tokens once an e-mail change has been actioned. It seems like the 'best practice' thing to do.
Comment 7•10 years ago
|
||
Not a security bug, per comments 3 and 6.
Group: bugzilla-security
Severity: normal → minor
Comment 8•10 years ago
|
||
Bounty
Comment 9•10 years ago
|
||
(In reply to Frédéric Buclin from comment #3) > When user X changes his email address, he is still user X, > and so there is no reason to invalidate his password change request. It's quite possible the reason they changed their address is because they lost control of the original email address -- and now possibly a malicious person still has access to a valid working password reset token and can take over their bugzilla account too. Likewise we should expire password reset tokens if the user successfully logs in with their old password. If they say "I forgot my password" but then remember it they probably then won't use the reset token, which means it sits usable by anyone who was able to harvest it as it went by in plaintext mail until it expires. Neither scenario keeps me awake at night, but they could plausibly happen to a few people here and there. It's no inconvenience to a legitimate user to invalidate the token in these cases (they aren't likely to expect them to work anyway, and can always request a new one) and doing so would make us safer in these edge cases.
Comment 10•10 years ago
|
||
it is minor bug so reward should also minor i reported this to google and they gives me 750$
Comment 11•10 years ago
|
||
Oh, actually this bug is invalid! I just tested against bmo, Bugzilla 4.2 and 4.5, and they all behave the same way. Once you log in (step 3), all pending tokens are invalidated: # The user's credentials are okay, so delete any outstanding # password tokens or login failures they may have generated. Bugzilla::Token::DeletePasswordTokens($user->id, "user_logged_in"); If you try to use the link in the "password change" email, the token is not longer recognized and you get this error: "The token you submitted does not exist, has expired, or has been canceled" So Bugzilla already prevents to reuse old tokens.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: sec-bounty?
Resolution: --- → INVALID
Reporter | ||
Updated•10 years ago
|
Flags: sec-bounty-
Comment 14•10 years ago
|
||
but bug is early
You need to log in
before you can comment on or make changes to this bug.
Description
•