search

oftc / oftc-ircservices

OFTC's IRC Services
https://www.oftc.net/CodingProjects/
GNU General Public License v2.0
32 stars 22 forks source link

SENDPASS nickname generates a key which is not one-time use #23

Closed gustavonmartins closed 7 years ago

gustavonmartins commented 7 years ago

I have just requested /msg nickserv SENDPASS, and got an email with a command to paste in IRC in order to change my password, in the form of "/msg NickServ SENDPASS mynick small-number:big-number "

After this, the nickserv had some trouble to recognize me, but eventually it did. Unfortunately, I pasted and sent the message with the big number into the #oftc room because I though this command expires after being used, but to my surprise, people on the channel were able to change my password!

This is very disturbing and I hope I dont lose my nick.

Please, update the system so that this big number becomes invalid after one-time use. The code for this seems to be inside the file: oftc-ircservices/modules/nickserv.c

gustavonmartins commented 7 years ago

This type of problem is already predicted to happen 3 years ago, see issue https://github.com/oftc/oftc-ircservices/issues/1

Svetlana-T commented 7 years ago

(would like to close this issue and duplicate and continue discussion on the other bug, but I don't see a close button)

df7cb commented 7 years ago

Duplicate of #1.