Page MenuHomePhabricator
Create Task
Maniphest T189537

2FA reset should log the user out
Closed, ResolvedPublic
Actions

Description

disableOATHAuthForUser.php should call SessionManager::invalidateSessionsForUser. If the user is locked out, there is no harm in it, and in the case of an attacker achieving 2FA reset via social engineering, this ensures that the legitimate account owner will notice (whereas they might miss an email / have no email address).

Details

SubjectRepoBranchLines +/-
Make disableOATHAuthForUser.php log out the affected usermediawiki/extensions/OATHAuthmaster+7 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Tgr created this task.Mar 12 2018, 10:41 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 12 2018, 10:41 PM
Tgr mentioned this in T180896: Allow functionaries to reset second factor on low-risk accounts.Mar 12 2018, 10:42 PM
Huji subscribed.Mar 12 2018, 10:44 PM
jrbs subscribed.Mar 12 2018, 11:00 PM
JEumerus subscribed.Mar 13 2018, 8:53 AM
Platonides subscribed.Nov 20 2018, 10:39 PM

It should also trigger a flow and email notification to the user that his 2FA has been disabled.

jrbs added a project: Trust-and-Safety.Nov 20 2018, 10:58 PM
jrbs moved this task from Backlog to Security/Abuse on the Trust-and-Safety board.
gerritbot subscribed.Nov 21 2018, 3:56 AM

Change 475039 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[mediawiki/extensions/OATHAuth@master] Make disableOATHAuthForUser.php log out the affected user

https://gerrit.wikimedia.org/r/475039

gerritbot added a project: Patch-For-Review.Nov 21 2018, 3:56 AM
Tgr added a comment.Nov 21 2018, 3:58 AM
In T189537#4764005, @Platonides wrote:

It should also trigger a flow and email notification to the user that his 2FA has been disabled.

That should probably be a separate bug (and something that I would not try before T128351: Notifications should be in core is sorted out).

Platonides added a comment.Nov 21 2018, 11:59 AM

I mentioned it here as the description said that the goal was that the legitimate account owner would notice, but you are right. Split to T210075

gerritbot added a comment.Dec 27 2018, 8:46 PM

Change 475039 merged by jenkins-bot:
[mediawiki/extensions/OATHAuth@master] Make disableOATHAuthForUser.php log out the affected user

https://gerrit.wikimedia.org/r/475039

ReleaseTaggerBot added a project: MW-1.33-notes (1.33.0-wmf.12; 2019-01-08).Dec 27 2018, 9:00 PM
MR70 subscribed.Jan 3 2019, 12:25 PM
jrbs awarded a token.Jan 8 2019, 9:02 AM
Ladsgroup subscribed.Apr 6 2019, 10:35 PM

Isn't it done?

Tgr closed this task as Resolved.Apr 7 2019, 1:23 AM
Tgr claimed this task.
Tgr updated the task description. (Show Details)
Zabe removed a project: Patch-For-Review.Oct 31 2021, 1:27 AM
matmarex closed subtask T210075: Send notification when 2FA is disabled as Resolved.Feb 22 2022, 1:40 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL