-
Notifications
You must be signed in to change notification settings - Fork 5.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Password Reset Tokens Never Expire Vulnerability in Meteor Accounts using password. #11307
Comments
There is the |
Hi, I was taking a look into fixing this but I am unable to reproduce as the
and it also removes the
Am I overlooking something here or is this actually not an issue (anymore)? |
@evolross Can you provide a reproduction? |
I'm closing this since we don't have a reproduction, feel free to open this if this encounter this issue and if possible, please provide a reproduction. |
Finally tried to create a repo for this and upon a deeper investigation, the previous token indeed returns Token Expired as expected. My apologies for this one. I didn't fully investigate when my security researcher reported it. They probably saw that it allows you to enter a new password but didn't test that it returns Token Expired upon actually trying to set it. |
No worries, I'm glad that everything checked out. |
Meteor Version: 1.10.2
Operating System: OS X & Galaxy
Upon calling
Accounts.sendResetPasswordEmail
a new reset password token is generated. Any tokens issued prior to this still work. This is considered a vulnerability on hacker one and weak security implementation.I could see perhaps this being a usability issue if it takes a few minutes to receive a password reset email and the user is slamming the button thus causing each one that is sent to be invalidated and causing frustration once it arrives.
The obvious vulnerability is if an email account is compromised, an attacker could easily compromise a Meteor account with an old password reset token, then delete the reset email.
I believe in the current Meteor Accounts, password reset tokens expire by default after three days. It might be good to add a configurable setting to increase this to only a few minutes (for example) and/or add a setting to instantly invalidate previously issue password reset tokens upon issuance of a new token.
Easily reproduced in any Meteor install using Meteor Accounts and passwords.
The text was updated successfully, but these errors were encountered: