You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on May 10, 2019. It is now read-only.
We have found a fault in the changing password scenario. Actually someone was able to send himself an invitation mail in order to change the password of another member. The consequence is that he could take the account of the other member.
The scenario is shown under :
Alice has the account "alice.dodgson" with the following e-mail: "alice@wonderland.org".
Malory has also an account and want to steal Alice's.
He sends an invitation to alice.dodgson but to his own e-mail "malory@hell.com".
We have done the test in order to verify there is a real fault.
The two following screenshots show there was a real problem to fix.
Solve the problem
Firstly, we have written an algorithm we have followed to solve the problem.
We have reached our goal and the fault has disappeared.
The following two screenshots show the result when someone try to steal one else's account.