Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

security 'forget your password' prone to phishing attacks #11071

Closed
RMastop opened this issue Dec 22, 2016 · 10 comments
Closed

security 'forget your password' prone to phishing attacks #11071

RMastop opened this issue Dec 22, 2016 · 10 comments
Assignees
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Milestone

Comments

@RMastop
Copy link
Contributor

RMastop commented Dec 22, 2016

The 'lost your password' is vulnerable to fishing attacks.

Usecase:
An attacker tries to reset the password of an account, the email gets send out. The attacker needs to check if they can login using this new password. (either by a user clicking the link in the email, or even worse, an automated email vulnerability scanner checking the URL in the email)

To prevent this from succeeding, the following can be done.
The confirmResetPassword class (in Login/controller.php) would need to have an extra check;
After the validation of the resetToken, the user needs to be asked to retype the previous chosen password (used in the initial change your password screen.)
Only after the successful confirmation of this password, the account password needs to be reset.

I'm not a PHP programmer, would this be easy to implement?

@RMastop RMastop changed the title security 'forget your password' prone to fishing security 'forget your password' prone to phishing attacks Dec 24, 2016
@KaanErturk
Copy link

Asking the new password in the very first page that can be accessed and submitted by anyone is kind of scary. I think it should only ask an email address (not even a username as it can't be changed) and the resulting page should have a generic message without verifying whether a user for that email address exists or not.

@mattab mattab added the c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. label Dec 26, 2016
@mattab
Copy link
Member

mattab commented Dec 26, 2016

Thanks for the report! Indeed our "Reset password" functionality would be better by having a reset link sent to the email to let the user then reset the password. I think it used to work in this way but i can't remember why we changed it.

or even worse, an automated email vulnerability scanner checking the URL in the email

@RMastop I had not heard that such things exist. Do you know any tool that does this? Clicking automatically in email link is a very broken thing in general and should not be done by any tool IMHO (but my opinion does not matter in this case, agreed)

@Findus23
Copy link
Member

Findus23 commented Dec 3, 2018

I think this is quite an important issue as it makes taking over an account too easy if the Matomo user is not careful with clicking on emails (which everyone should be, but no one is all the time).

I agree with @mattab that such a tool would be quite insane and will cause tons of damage with badly written websites, but Matomo shouldn't be one of them 🙂 and fundamentally a GET request should never do an irrevocable action like granting an attacker full access to a Matomo instance.
So at the very least there should be a confirmation page after clicking on the link (correct me if there is already one, I didn't double-check), but I think rewriting this feature to work as on every other website (link allows user to set a new password) will cause less confusion, more security and (hopefully) shouldn't be that much more work.

(feel free to move it to a later release if you disagree)

@tsteur
Copy link
Member

tsteur commented Dec 3, 2018

3.9.0 is already pretty full, earliest we would do this maybe is 3.10 but to be seen. Moving it into 3.10 for now.

@tsteur tsteur modified the milestones: 3.9.0, 3.10.0 Dec 3, 2018
@mattab
Copy link
Member

mattab commented Dec 3, 2018

Since we wouldn't want to change the whole password reset process, maybe it's good enough to ask for confirmation in a page, before actually resetting password?
Also maybe we could make the link non-clickable in the HTML email body so people are less likely to click on it?

@tsteur
Copy link
Member

tsteur commented Dec 3, 2018

I think asking for confirmation alone will already do 👍

@Findus23
Copy link
Member

Findus23 commented Dec 4, 2018

I am not sure if a confirmation page is enough as people can't know what password they are confirming.

link non-clickable in the HTML
That wouldn't help much as most (or at least my) E-Mail clients automatically link URLs.

@tsteur
Copy link
Member

tsteur commented Dec 4, 2018

They would confirm the password they set during the reset process. If someone else meanwhile requested another password, the original link would be invalidated.

If they didn't request the password, we would mention in the confirm etc to only confirm and reset it, if they actually requested it.

@mattab
Copy link
Member

mattab commented Jun 24, 2020

asking for confirmation

Sounds like the ideal solution, to ask for confirming the password after clicking the link.

@tsteur tsteur self-assigned this Jun 24, 2020
@Findus23
Copy link
Member

Confirming the password set would benefit a lot, even though I'd still prefer if the password reset would work just like every other website (forgot password -> enter email -> token sent to user per mail -> link to page that allows setting the new password). That way there is less user confusion and fewer ways an attacker can exploit the user confusion for phishing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Projects
None yet
Development

No branches or pull requests

5 participants