Security issue: overlapping usernames with HybridAuth

[medvind]

It seems that you can get logged in to the same user account in Yii with different HybridAuth logins, if the real names match.

So if John Doe creates a Yii account with, say, Facebook, and another John Doe logs in from a different Google/Facebook/etc. account, he will then access the first guy's data.

I have tested with two google Google accounts and one Facebook account. I use the same real name ("Firstname Lastname") on all three accounts, and when using Yum and HybridAuth to register, "Firstname Lastname" registers as the username. Regardless of whether I register using one of the Google accounts or the Facebook account, the resulting user account can then be used from all three accounts.

Suggested solution: use the e-mail address as the user name instead of creating it from the real name.

[thyseus]

Thank you for reporting this severe security issue. I will investigate and fix this as soon as possible !

[medvind]

Thanks for the quick reply! Maybe I could help out as well. I've created a fork. I also have another question/suggestion. Can I PM on you on IRC?

[thyseus]

I was very busy at work today - i will look into this issue this evening. Of course you can contact me at irc or skype "herbertmaschke" ;)

[thyseus]

Please check if this potential fix fixes the issue, thank you !

https://github.com/thyseus/yii-user-management/commit/a4a6970f9d561db37a5aed49ccf58f3ebcf7b6df

[medvind]

Thanks Herbert, I'll check it out!

On Tue, Feb 4, 2014 at 7:29 PM, Herbert Maschke notifications@github.comwrote:

Please check if this potential fix fixes the issue, thank you !

a4a6970https://github.com/thyseus/yii-user-management/commit/a4a6970f9d561db37a5aed49ccf58f3ebcf7b6df

Reply to this email directly or view it on GitHubhttps://github.com/thyseus/yii-user-management/issues/173#issuecomment-34090870 .