Page MenuHomePhabricator

2FA reset should log the user out
Closed, ResolvedPublic

Description

disableOATHAuthForUser.php should call SessionManager::invalidateSessionsForUser. If the user is locked out, there is no harm in it, and in the case of an attacker achieving 2FA reset via social engineering, this ensures that the legitimate account owner will notice (whereas they might miss an email / have no email address).

Event Timeline

Tgr created this task.Mar 12 2018, 10:41 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 12 2018, 10:41 PM
Huji added a subscriber: Huji.Mar 12 2018, 10:44 PM
jrbs added a subscriber: jrbs.Mar 12 2018, 11:00 PM

It should also trigger a flow and email notification to the user that his 2FA has been disabled.

jrbs moved this task from Backlog to Security/Abuse on the Trust-and-Safety board.

Change 475039 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[mediawiki/extensions/OATHAuth@master] Make disableOATHAuthForUser.php log out the affected user

https://gerrit.wikimedia.org/r/475039

Tgr added a comment.Nov 21 2018, 3:58 AM

It should also trigger a flow and email notification to the user that his 2FA has been disabled.

That should probably be a separate bug (and something that I would not try before T128351: RfC: Notifications in core is sorted out).

I mentioned it here as the description said that the goal was that the legitimate account owner would notice, but you are right. Split to T210075

Change 475039 merged by jenkins-bot:
[mediawiki/extensions/OATHAuth@master] Make disableOATHAuthForUser.php log out the affected user

https://gerrit.wikimedia.org/r/475039

jrbs awarded a token.Jan 8 2019, 9:02 AM

Isn't it done?

Tgr closed this task as Resolved.Apr 7 2019, 1:23 AM
Tgr claimed this task.
Tgr updated the task description. (Show Details)