No password confirmation on sensitive action like email change in ikus060/rdiffweb
Reported on
Sep 26th 2022
Description
It is important to implement password checks on sensitive features like email change
Proof of Concept
1) Go to https://rdiffweb-demo.ikus-soft.com/login/
2) Use the credentials admin , admin123 and login into your account
3) Navigate to the endpoint https://rdiffweb-demo.ikus-soft.com/prefs/general
4) Change the email and save changes
5) You will notice that there is no password confirmation during this sensitive action
Mitigation: There must be a password confirmation on sensitive actions like email change
# Impact
If some one left his account open on public computer(say office or cafe), then attacker can change the email associated with this account easily
References
If someone leave the session open. The user's backup is at risk. Changing the user's email is nothing compare to that. Do you think we should ask the password for all this kind of operation ? Probably yes.
Yes , indeed a password backup must be added to all sensitive actions:)
After a lot of reading, given the type of application, all operations in Rdiffweb are sensitive. Seeing personal files, deleting them seems even more sensitive than editing the email. Looking at what banks do, I think it would be acceptable to limit the session to 10min. If it's good for the protection of my bank account, it should be good for the protection of backup data.
This value is already configurable for Rdiffweb. Will change the default value to 10min.
Hello sir , thank you for your email. Usually reducing the session time won't be as effective as implementation of session timed upto 10 mins for a variety of reasons.
- As i highlighted the importance of password confirmation required for email (considering 2FA bypass issue)
- A user will not be quite happy being logged off every 10 minutes reauthenticating again and again.
I believe a password confirmation is necessary for at least an email change and also the session to expire on email change is necessary