Closed cryogen closed 5 years ago
It actually happened to me! See https://github.com/oftc/oftc-ircservices/issues/23
If I am not mistaken, changing the master nick eliminates the risk - it makes it impossible to use the key for the account, it is no longer valid. This is perhaps a workaround.
<@Myon> shouldn't even be hard, add a DB call at modules/nickserv.c line 1815
From #31:
In order to fix the underlying issue, the sendpass token either would need to be something random, stored in and retrieved from the database, or derived from the password hash, so that it's automatically invalidated when the user's password changes.
They probably should be, or else the password can be reset multiple times and if someone pastes their token after use the account can be taken over