Closed Bug 1045767 Opened 10 years ago Closed 10 years ago

password reset not reset if email changed before use

Categories

(Bugzilla :: User Accounts, defect)

Product:
Bugzilla
Component:
User Accounts
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: curtisk, Unassigned)

References

Details

(Whiteboard: [site:bugzilla.mozilla.org][reporter-external]) 

Subject: Vulnerability Category- Broken Authentication and Session Management
	(leads to account compromise if some conditions are met)
From: Dushyant Sahu <sahu.dissu@gmail.com>
To: security@mozilla.org
-----//-----
Hi,

Hope you are good!



Host :- https://bugzilla.mozilla.org

Steps to repro:
1) Create a account on https://bugzilla.mozilla.org having email address "a@x.com".
2) Now Logout and ask for password reset link. Don't use the password reset link.
3) Login using the same password back and update your email address to "b@x.com" and verify the same.
4) Now logout and use the password reset link which was mailed to "a@x.com" in step 2.
5) Password will be changed.

All previous password reset links should automatically expire once a user changes his email address.
Please let me know if this can be fixed.

Best Regards
Dushyant Sahu
Flags: sec-bounty?
Whiteboard: [site:bugzilla.mozilla.org][reporter-external]
The ability to exploit this seems like a longshot to me. You would have to have the bugzilla credentials to do step 3 already and likely have control of one or both of the email accounts. As such I think this is sec-low but will solicit for other input.
Assignee: nobody → user-accounts
Component: Administration → User Accounts
Product: bugzilla.mozilla.org → Bugzilla
QA Contact: default-qa
Version: Production → unspecified
This is not a bug. The password change request is tied to an account (an internal user ID), not tied to an email address. When user X changes his email address, he is still user X, and so there is no reason to invalidate his password change request.
when user change the password all old password reset session should be expire automatically but it is not happning here session management bug.. you can see clearly
you know i reported to google or microsoft this same they accepted as medium session management bug
I agree with Frédéric, it is not a bug as such. You can't use this method to hijack an account, without having access to the a@x.com's e-mail address, and if that was the case, you could change the e-mail address and then the password anyway.

Having said that, I think it would be a good idea to expire password change tokens once an e-mail change has been actioned. It seems like the 'best practice' thing to do.
Not a security bug, per comments 3 and 6.
Group: bugzilla-security
Severity: normal → minor
Bounty
(In reply to Frédéric Buclin from comment #3)
> When user X changes his email address, he is still user X,
> and so there is no reason to invalidate his password change request.

It's quite possible the reason they changed their address is because they lost control of the original email address -- and now possibly a malicious person still has access to a valid working password reset token and can take over their bugzilla account too.

Likewise we should expire password reset tokens if the user successfully logs in with their old password. If they say "I forgot my password" but then remember it they probably then won't use the reset token, which means it sits usable by anyone who was able to harvest it as it went by in plaintext mail until it expires.

Neither scenario keeps me awake at night, but they could plausibly happen to a few people here and there. It's no inconvenience to a legitimate user to invalidate the token in these cases (they aren't likely to expect them to work anyway, and can always request a new one) and doing so would make us safer in these edge cases.
it is minor bug so reward should also minor i reported this to google and they gives me 750$
Oh, actually this bug is invalid! I just tested against bmo, Bugzilla 4.2 and 4.5, and they all behave the same way. Once you log in (step 3), all pending tokens are invalidated:

    # The user's credentials are okay, so delete any outstanding
    # password tokens or login failures they may have generated.
    Bugzilla::Token::DeletePasswordTokens($user->id, "user_logged_in");

If you try to use the link in the "password change" email, the token is not longer recognized and you get this error:

 "The token you submitted does not exist, has expired, or has been canceled"


So Bugzilla already prevents to reuse old tokens.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: sec-bounty?
Resolution: --- → INVALID
Flags: sec-bounty-
but bug is early
You need to log in before you can comment on or make changes to this bug.