Page MenuHomePhabricator

When global locking a compromised account, if user had pressed remember me, the cookie from the compromised account can be used to get back into the account later
Closed, ResolvedPublic

Description

see title.

Possibly password reset would invalidate the cookies too, but global lock should really make all old cookies useless

Arguably we should do something similar for normal blocks, although that goes against current expectations

Event Timeline

Bawolff created this task.Nov 17 2016, 8:29 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 17 2016, 8:29 PM
Tgr added a subscriber: Tgr.Nov 18 2016, 1:45 AM

Oops. Didn't notice this was a security bug and put up https://gerrit.wikimedia.org/r/#/c/322227/ as a normal patch.

Dont worry, i only put it as security so as not to give OurMine any ideas. I dont really think its a sensitive issue

dpatrick triaged this task as High priority.Nov 29 2016, 9:52 PM
Reedy added a subscriber: Reedy.May 1 2019, 2:05 PM

Not sure why this patch hasn't been merged... JFDI? :)

@Reedy: +2'ed on 2019-05-01 and merged (thanks).
Can this task get closed as resolved? Can it be made public?

Reedy closed this task as Resolved.May 27 2019, 1:23 PM
Reedy assigned this task to Tgr.

I would think so

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".May 27 2019, 1:23 PM