Closed Bug 620576 Opened 14 years ago Closed 12 years ago

developer.mozilla.org Forgot Password flow - password in plain text in email.

Categories

(developer.mozilla.org Graveyard :: Wiki pages, defect)

Product:
developer.mozilla.org Graveyard
Component:
Wiki pages
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: ozten, Assigned: groovecoder)

References

Details

(Whiteboard: [infrasec:crypto][ws:high]) 

A follow on to Bug#620395. The forgot password flow also emails a replacement password in plain text.

Repro:
1) Go to https://developer-stage9.mozilla.org/Special:UserPassword
2) Enter an existing email

Actual
Note you've been emailed a plain text password

Expected
A url with a unique token that allows you to change your password

Note: You can also attack another deki user if you know their email address by periodically requesting a new password. Their real one won't work and they will have to check their email and re-login.

Unlike bug#620395 This is a design flaw and cannot be fixed via updating copy, as it would leave a user with no way to reclaim or change a password.

Long Term Fix: SSO will resolve this issue.
Short Term: Do we need to engage Mindtouch for a new Forgot Password flow?
Whiteboard: [infrasec:crypto][ws:high]
Luke,

Thoughts on this bug? Will an upgrade fix this or do we need to reach out to mindtouch.  It would be great to get plain text passwords out of emails.
We upgraded MT to 10 recently. I'll check it again.
Assignee: nobody → lcrouch
Whiteboard: [infrasec:crypto][ws:high] → [infrasec:crypto][ws:high] p=1 c=mindtouch u=all
Target Milestone: --- → 1.2
Depends on: 687668
This is NOT fixed in MT 10.1 and still affects both staging and production. I've filed an issue with MT.
Target Milestone: 1.2 → 1.3
Raymond, were you able to find any bug with our own patch for this issue?
(In reply to Luke Crouch [:groovecoder] from comment #4)
> Raymond, were you able to find any bug with our own patch for this issue?

i'm still digging through bugzilla. I'll update this bug when i find it
*facepalm* Yet another reason for bug 674635, so we can have more control over account management. I'm guessing it'll be easier to switch to Django auth than get Mindtouch to change their product.

At least it's the temporary password and not the permanent password, though we're still candidates for http://plaintextoffenders.com/
Depends on: 674635
Raymond, did you ever find the old bug with a patch for this?
(In reply to Luke Crouch [:groovecoder] from comment #7)
> Raymond, did you ever find the old bug with a patch for this? 

It might have been https://bugzilla.mozilla.org/show_bug.cgi?id=620395 . I can't tell since I am no longer cc'ed on the bug
yup, that's the one. there's a patch for it there.
Target Milestone: 1.3 → 1.4
Whiteboard: [infrasec:crypto][ws:high] p=1 c=mindtouch u=all → [infrasec:crypto][ws:high]
Target Milestone: 1.4 → 1.5
Target Milestone: 1.5 → 1.6
Target Milestone: 1.6 → ---
This is fixed with the move to BrowserID! w00t!
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
To the end of an era! Forgot Password Flow die!

Great work groovecoder
Version: Deki → unspecified
Component: Website → Landing pages
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
Product: developer.mozilla.org → developer.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.