seamustuohy
commented
7 years ago Mitigation Plan:
- 007: check openid doesn't already exist when creating a profile
Closed seamustuohy closed 7 years ago
seamustuohy
commented
7 years ago Mitigation Plan:
When a user logs in for the first time, the account setup workflow is triggered. The user can specify information about the account, e.g. choosing a name, description, fees etc.
After the form is submitted, a POST request to the /profile endpoint is triggered. The request stores the user-submitted information and it was discovered that not only can a user replay this request but also that a new account gets created for each request. This allows any valid user to spam the web application by replaying the request many times. In other words, an extensively large number of accounts can be created.
It is recommended to ensure that an authenticated service provider or an implementing partner can only create their own account once. This may be possible to implement by leveraging the authorization header, which confirms the role of the user. The backend should in turn verify whether an account already exists for this user and create it only in case of not identifying an already existing one. Otherwise, if an account already exists for the given user, no more accounts should be allowed. Alternatively, the user-creation process could be left to an administrator. In that case service providers and implementing partners should only be able to update their own information once they have been authenticated.