~mariusor/go-activitypub#245: 
Reset password link can be abused

Currently the reset password can be abused at any time to change a user's password.

Status
REPORTED
Submitter
~mariusor
Assigned to
No-one
Submitted
2 years ago
Updated
1 year, 8 months ago
Labels
brutalinks v0.1

~mariusor added brutalinks 2 years ago

~mariusor added v0.1 2 years ago

~mariusor 2 years ago

This is a bit shameful, but meh, we're not even in alpha.

~mariusor 2 years ago

I can't think of a good check to do before allowing the password change. Something that could work and came to mind is:

Obfuscate the UUID to the one of an Update with a restricted audience (so, not public to be able to infer the user UUID from it).

When the user / moderator generates a pw change link, then an Update activity is created (with the instance actor in the audience) with the corresponding Actor as an Object and its UUID is used as the pw change identifier.

~mariusor 1 year, 8 months ago

The change password doesn't work if the preferredUsername is not empty.

So one mechanism for allowing a user's password change is to also clear their preferredUsername.

Register here or Log in to comment, or comment via email.