Improper Access Control in cortezaproject/corteza-server

Valid

Reported on

Oct 6th 2021


Hi, Old unused Password reset tokens are not getting expired after using the new one.

Suppose I am an attacker and I got access to the recovery email option of victim account. I logged in to victim recovery email (suppose that is user@gmail.com). Then I used the forget password option. I will get one password reset link. I noted the reset link and then deleted the email from user@gmail.com. In the meantime victim understood that someone got access to his account. Then he reset the password of his account (corteza) by issuing new reset link and he also changed the password of his account (corteza) so that any one cant hack again his account.

Now its time for my exploitation.

I will use my reset link which is live even after your issuance of new reset link and I will hack into victim's account.

A Suggestion to fix this issue :

Use a certain living span for a reset link.

All unused reset links should expire automatically after the issuance of a new reset link.

We have contacted a member of the cortezaproject/corteza-server team and are waiting to hear back 8 months ago
takester
8 months ago

Researcher


any update??

We have sent a third and final follow up to the cortezaproject/corteza-server team. This report is now considered stale. 7 months ago
Tomaž Jerman
7 months ago

Maintainer


Hi, thank you for reporting; I'll get one of our guys to confirm this and propose a fix.

Denis Arh
3 months ago

Maintainer


Fixed and waiting for internal review & qc.

Denis Arh validated this vulnerability 3 months ago
takester has been awarded the disclosure bounty
The fix bounty is now up for grabs
Denis Arh confirmed that a fix has been merged on d2d024 3 months ago
The fix bounty has been dropped
to join this conversation