Password Reset Tokens Never Expire Vulnerability in Meteor Accounts using password.

[evolross]

Meteor Version: 1.10.2
Operating System: OS X & Galaxy

Upon calling Accounts.sendResetPasswordEmail a new reset password token is generated. Any tokens issued prior to this still work. This is considered a vulnerability on hacker one and weak security implementation.

I could see perhaps this being a usability issue if it takes a few minutes to receive a password reset email and the user is slamming the button thus causing each one that is sent to be invalidated and causing frustration once it arrives.

The obvious vulnerability is if an email account is compromised, an attacker could easily compromise a Meteor account with an old password reset token, then delete the reset email.

I believe in the current Meteor Accounts, password reset tokens expire by default after three days. It might be good to add a configurable setting to increase this to only a few minutes (for example) and/or add a setting to instantly invalidate previously issue password reset tokens upon issuance of a new token.

Easily reproduced in any Meteor install using Meteor Accounts and passwords.

[StorytellerCZ]

There is the loginExpirationInDays option param that can be adjusted to reduce the expiration time. So setting that to 1 will expire the token after 24 hours, but I agree that expiring the old token when a new is generated should also be added. Also after a token is used it should not be usable again...

[bcluyse]

Hi, I was taking a look into fixing this but I am unable to reproduce as the services.password.reset token is replaced when a new one is requested:

meteor/packages/accounts-password/password_server.js

Line 650 in 0a0cae2

'services.password.reset': tokenRecord

and it also removes the services.password.reset token when the password has been reset:

meteor/packages/accounts-password/password_server.js

Line 531 in 0a0cae2

$unset: { 'services.password.reset': 1 }

Am I overlooking something here or is this actually not an issue (anymore)?
Thanks

[StorytellerCZ]

@evolross Can you provide a reproduction?

[StorytellerCZ]

I'm closing this since we don't have a reproduction, feel free to open this if this encounter this issue and if possible, please provide a reproduction.

[evolross]

Finally tried to create a repo for this and upon a deeper investigation, the previous token indeed returns Token Expired as expected. My apologies for this one. I didn't fully investigate when my security researcher reported it.

They probably saw that it allows you to enter a new password but didn't test that it returns Token Expired upon actually trying to set it.

[StorytellerCZ]

No worries, I'm glad that everything checked out.