Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SECURITY] Known race condition at user creation #20

Open
mohe2015 opened this issue Dec 25, 2021 · 2 comments
Open

[SECURITY] Known race condition at user creation #20

mohe2015 opened this issue Dec 25, 2021 · 2 comments
Labels
help wanted Extra attention is needed security

Comments

@mohe2015
Copy link
Owner

When a user is created from the login page there is a race condition with parallel normal user creation. To our knowledge it may be possible that a slightly earlier user creation could lead to the user creation from the login page to instead login into that account which basically is an account takeover.
@mohe2015
Copy link
Owner Author

Several ideas are shown in https://phabricator.wikimedia.org/T138678#3911381 but it seems like none of them is implemented and I couldn't find a way to fix this yet without just removing that feature. Any help is really appreciated.

@mohe2015 mohe2015 added the help wanted Extra attention is needed label Dec 25, 2021
@mohe2015 mohe2015 pinned this issue Dec 25, 2021
@mohe2015
Copy link
Owner Author

mohe2015 commented Mar 16, 2022
edited
Loading

I actually got a response there so I somebody should investigate this some time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Extra attention is needed security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mohe2015