SECURITY: API PUT /users/self - verify e-mail on update - read the description please #54

tiblu · 2018-11-21T22:53:42Z

Overview

When User updates e-mail in the profile, it does not get verified.

PANIC!? I don't think so, but definitely not nice.

What vector does it open up?

User A has never used the application, has no account with his e-mail.
User B registers with an e-mail belonging to him (B), doing the full verification flow.
User B updates his e-mail to e-mail belonging to A, NO verification.
User A:
4.1 Logs in with FB/Google that has the e-mail in the profile, User A sees whatever malicious user B has done in the account. If A changes the password, B is lock out and cannot access it any more.
4.2 Tries to create an account with e-mail/password and gets an error "e-mail already in use". He is confused and goes for the "Forgot password flow" after which A verifies the ownership of e-mail and gets the account locking malicious user B out.

Credits

Related code:

TODO

tiblu · 2018-11-21T22:55:20Z

Credits to @moll for pointing this out.

ilmartyrk · 2019-01-22T19:43:45Z

tiblu added this to Wish list in Winter Push For Perfection (WPFP) via automation Nov 21, 2018

tiblu added critical App down / data leak / core functionality not usable. security labels Nov 21, 2018

tiblu moved this from Wish list to TODO - prioritized in Winter Push For Perfection (WPFP) Jan 21, 2019

ilmartyrk mentioned this issue Jan 22, 2019

Make users verify updated email address #101

Merged

ilmartyrk closed this as completed Jan 22, 2019

Winter Push For Perfection (WPFP) automation moved this from TODO - prioritized to DONE - deployed to production Jan 22, 2019

Provide feedback