[SECURITY] Known race condition at user creation

mohe2015 / AuthManagerOAuth

Create accounts or login using OAuth

GNU General Public License v2.0

0 stars 1 forks source link

[SECURITY] Known race condition at user creation #20

Open mohe2015 opened 2 years ago

mohe2015 commented 2 years ago

When a user is created from the login page there is a race condition with parallel normal user creation. To our knowledge it may be possible that a slightly earlier user creation could lead to the user creation from the login page to instead login into that account which basically is an account takeover.

mohe2015 commented 2 years ago

Several ideas are shown in https://phabricator.wikimedia.org/T138678#3911381 but it seems like none of them is implemented and I couldn't find a way to fix this yet without just removing that feature. Any help is really appreciated.

mohe2015 commented 2 years ago

I actually got a response there so I somebody should investigate this some time.