Security: Is `passwordChange` safe?
See original GitHub issueThe problem
passwordChange
is called with data.value.user
, and not the signed in user:
https://github.com/feathers-plus/feathers-authentication-management/blob/master/src/service.js#L66
Which suggests that a logged in user may change password for any users, by submitting a user which is not himself:
app.service('authManagement').create({
action: 'passwordChange',
value: {
user: 'this.is.not@me.com'
password: 'hijackedYourAccount'
}
})
Expected behavior
passwordChange
should use hook.params.user
Issue Analytics
- State:
- Created 6 years ago
- Comments:14
Top Results From Across the Web
Time to rethink mandatory password changes
When people hear that I conduct research on making passwords more usable and secure , everyone has a story to tell and questions...
Read more >How Often You Should Change Your Passwords, According to ...
Most security experts believe that if you have a strong and unique password, you shouldn't change it unless you believe it's been compromised. ......
Read more >Why Password Change Requirements are Bad
According to NIST, the FTC, Microsoft, and other leading organizations, required password changes might be a bad idea for both security and ...
Read more >Security Myths and Passwords - CERIAS - Purdue University
in General, Secure IT Practices ... analysis shows that a monthly password change has little or no end impact on improving security!
Read more >How Often Should You Change Your Passwords?
Let's take a look at some typical situations where a password change will be required. After A Security Breach: With massive breaches like...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
As far as I understand the module compares first the input old password to the current password of the user retrieved using the input email (see https://github.com/feathers-plus/feathers-authentication-management/blob/master/src/passwordChange.js#L34). This means that if you provide the email of someone else you need to know his current password to change it, so it is safe. Maybe this issue refers to a previous version or I miss the point ?
The only work I see remaining is having authentication-local check the isVerified field (if it exists) in the user-entity record. I’ve moved this to https://github.com/feathers-plus/authentication-local-management/issues/4 so I can close the multiple issues raised here.
Full details on the authenticated-local-management rewrite are posted to https://github.com/feathers-plus/authentication-local-management/blob/master/misc/upgrading.md