Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalidate password reset token on email change #320

Closed
degeri opened this issue Mar 13, 2019 · 0 comments · Fixed by #323
Closed

Invalidate password reset token on email change #320

degeri opened this issue Mar 13, 2019 · 0 comments · Fixed by #323

Comments

@degeri
Copy link
Member

@degeri degeri commented Mar 13, 2019

When a user changes their email ID any password reset tokens that are valid for that user should be invalidated.

Attack Scenario:
Lets say example1@example.com email is compromised and is in the hands of the attacker. The attacker requests for a password reset email, in the mean time legituser logs in to the VSP and changes the email to a secure email example2@example.com. Now the attacker can reset the password using the link that is available in example1@example.com and take over the account.

This is a very low risk issue since the reset link invalidates in an hour and requires that the email of the user gets compromised (which is out of our control).

This vulnerability has been reported through the Bug bounty program

degeri added a commit to degeri/dcrstakepool that referenced this issue Mar 16, 2019
Fixes decred#320 

This will delete all reset tokens of user when their email gets changed.
@dajohi dajohi closed this in #323 Apr 12, 2019
dajohi added a commit that referenced this issue Apr 12, 2019
Fixes #320 

This will delete all reset tokens of user when their email gets changed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

1 participant