Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalidate password reset token on email change #320

Closed
degeri opened this issue Mar 13, 2019 · 0 comments

Comments

Projects
None yet
1 participant
@degeri
Copy link
Contributor

commented Mar 13, 2019

When a user changes their email ID any password reset tokens that are valid for that user should be invalidated.

Attack Scenario:
Lets say example1@example.com email is compromised and is in the hands of the attacker. The attacker requests for a password reset email, in the mean time legituser logs in to the VSP and changes the email to a secure email example2@example.com. Now the attacker can reset the password using the link that is available in example1@example.com and take over the account.

This is a very low risk issue since the reset link invalidates in an hour and requires that the email of the user gets compromised (which is out of our control).

This vulnerability has been reported through the Bug bounty program

degeri added a commit to degeri/dcrstakepool that referenced this issue Mar 16, 2019

Delete password reset tokens on email change
Fixes decred#320 

This will delete all reset tokens of user when their email gets changed.

@dajohi dajohi closed this in #323 Apr 12, 2019

dajohi added a commit that referenced this issue Apr 12, 2019

Delete password reset tokens on email change (#323)
Fixes #320 

This will delete all reset tokens of user when their email gets changed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.