dternyak
commented
5 years ago Hi Polapan,
Thanks for your report. We are unable to reproduce this, and the logic in the route that powers this would lead us to believe this is a non-issue.
@body({
"password": fields.Str(required=True)
})
def recover_email(code, password):
er = EmailRecovery.query.filter_by(code=code).first()
if er:
if er.is_expired():
return {"message": "Reset code expired"}, 401
auth.throw_on_banned(er.user)
er.user.set_password(password)
db.session.delete(er)
db.session.commit()
return {"message": "ok"}, 200
return {"message": "Invalid reset code"}, 400Are you sure you're changing the password using the new link? We don't expire the token unless at least one hour has gone by or the password has been changed.
Please feel free to follow up by following our disclosure policy as outlined here
Polapan
Hi, Hope you guys are doing great. I want to report issue regarding forgot password mechanism.
ISSUE: One thing I noticed that when password rest link is requested and user change its password, that reset link should expire immediately but in your case , used reset link can be reused again and again. This will cause an attacker to take over victim account if he somehow gain victim email account access and found password reset token in emails.
POC: 1- Go to https://grants.zfnd.org/auth/recover 2- Enter your email address and you will get one password reset token in your email. 3- Now change password using that link and you will be successfully log in from your new password. 4- Now log out and change password again using reset token which is sent in step2. 5- You will see your password will again changed.
POSSIBLE FIX: All used password reset link should be expired immediately. All unused password reset token should be expired immediately with the issue of new token.