Page MenuHomePhabricator
Create Task
Maniphest T324322

Account takeover - Account protection
Closed, InvalidPublicSecurity
Actions

Description

At this moment there is very simple way to Account takeover (here as an example MediaWiki account). The current proccess / approach is invalid. Dangerous. Insufficient account protection.

Description:
This vulnerability is connected with CWE-640: Weak Password Recovery Mechanism for Forgotten Password and CWE-345: Insufficient Verification of Data Authenticity.

Note - You need for repro steps: account on mediawiki.org + two emails (for testing purposes you can use your_email and your_email+alias - as another one).

In this case as a 'bad actor' can be everyone who received mistaken email.

Repro steps (PoC):
(victim side)

  1. User (as logged in) wants to change an email, so go to: https://www.mediawiki.org/wiki/Special:ChangeEmail
  1. Type/change email to invalid from point of user's view, which user not own (misspell / mistake)
  1. See message - changed sucessfully:

Change or remove email address
A confirmation email has been sent to the specified email address. Before any other email is sent to the account, you will have to follow the instructions in the email, to confirm that the account is actually yours.

(bad actor side)

  1. Open email sent to "wrong address" (ie.: with other browser type and with incognito/private mode), see message:

To confirm that this account really does belong to you and reactivate email features on MediaWiki, open this link in your browser:
https://www.mediawiki.org/wiki/Special:ConfirmEmail/[chars]

  1. Click that link to Confirm (as a Bad Actor)
  1. See info:

Confirm email address
Your email address has been confirmed. You may now log in and enjoy the wiki.

  1. Return to Special:UserLogin. So click Log in https://www.mediawiki.org/wiki/Special:UserLogin - BUT bad actor don't know the password or login, YET.
  1. So click https://www.mediawiki.org/wiki/Special:PasswordReset

Reset password
Fill in one of the fields to receive a temporary password via email."

Add your mail (bad actor's email, from step nr 4; ie.: your_email_example+alias1@gmail.com )

  1. Click Reset password, see message:

You have requested a password reset.
If the information submitted is valid, a password reset email will be sent. If you haven't received an email, we recommend that you visit the reset password help page or try again later. You can only request a limited number of password resets within a short period of time. Only one password reset email will be sent per valid account every 24 hours in order to prevent abuse.
The details you submitted are:
Email address: your_email_example+alias1@gmail.com
Return to MediaWiki.

  1. Log in again to that "wrong / bad actor's email"
  1. See message:

Username: [real_victim_username] and Temporary password: [temp_pw]

Use instruction (username and temp password) from this email to login in.

See message:

You logged in with a temporary emailed code. To finish logging in, you must set a new password here:

  1. Set a new password (new + retype new password)

See that you're Logged in - account Takeover.

Additional information:
Security impact in this case is account takeover (credentials takeover, sensitive data from account, auth etc). Bad actor will has access to all data and account content.

Mistakes are common, everyone can misspell email address (people have a different addresses - as it's more difficult to write, as it's more simple to made a mistake).

I've decided to report this for you also because I've made a quick research and saw that well-protected companies don't have this issue (can't repro there), so I wanted let you know.

In general I saw (I'm really happy of that) different effective approaches. Adapted to their current architecture and work flow (cheap as well as expensive I suppose).

I really liked that they sometimes seemed to be a very simple solution, but at the same time they were very secure.

Scenario in this case is simple - user made a misspell email address & bad actor will try to takeover account as simply as possibly - with data and ways which were be given in simply way.

It seems to me that this is currently quite underestimated, while the consequences of an incorrect approach are huge.

Quick solution - don't update user's email address immediately - and after this there is many ways of choice for next steps of solution.

I hope it will be helpful. If any questions please fell free to ask.

Details

Risk Rating
Informational
Author Affiliation
Wikimedia Communities

Related Objects

Event Timeline

Emicbie22 created this task.Dec 2 2022, 11:52 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 2 2022, 11:52 AM
Emicbie22 mentioned this in T324323: CWE-359: Exposure of Private Personal Information to an Unauthorized Actor.Dec 2 2022, 11:57 AM
Reedy subscribed.Dec 2 2022, 12:15 PM

At this moment there is very simple way to Account takeover

It's not a very simple way, is it?

Your report is basically hinging on the fact that the typoed email the user enters, happens to be someone elses valid email? And that they're a bad actor? Or at least, have the potential to click the link to confirm the users email...

Reedy added projects: MediaWiki-User-login-and-signup, MediaWiki-Core-Preferences.Dec 2 2022, 12:34 PM
Emicbie22 added a comment.Dec 2 2022, 12:41 PM
This comment was removed by Emicbie22.
Reedy added a comment.Dec 2 2022, 12:42 PM
In T324322#8438804, @Emicbie22 wrote:

There are also ways to protect against described scenario.

Such as? You're not detailing any potential solution.

In T324322#8438804, @Emicbie22 wrote:

People makes typos and mistakes, that's really common - so, in general it's situation like email@email.com vs ernail@email.com, or iampeterrrider@email.com vs iampeterrider@email.com

It's not our fault if people typo their own email address.

Emicbie22 added a comment.Dec 2 2022, 12:57 PM
This comment was removed by Emicbie22.
Reedy added a comment.Dec 2 2022, 12:58 PM
In T324322#8438879, @Emicbie22 wrote:

"Quick solution - don't update user's email address immediately"

That's choice UX vs Security. I will write you wider about potential solution ASAP (I hope this evening). Let's keep in touch

Ok, so then the bad actor just needs to wait patiently for whatever defined amount of time, then take over the account anyway?

Emicbie22 added a comment.Dec 2 2022, 1:05 PM
This comment was removed by Emicbie22.
Aklapper changed the task status from Open to Stalled.Dec 2 2022, 1:23 PM
In T324322#8438899, @Emicbie22 wrote:

Can we make this better secure? Yes we can.

Please elaborate by clearly explaining how, as requested before.

Emicbie22 added a comment.Dec 4 2022, 2:46 PM
This comment was removed by Emicbie22.
sbassett assigned this task to Reedy.Dec 5 2022, 5:22 PM
sbassett moved this task from Incoming to In Progress on the Security-Team board.
sbassett added a project: SecTeam-Processed.
Reedy updated the task description. (Show Details)Feb 16 2023, 3:33 PM
sbassett closed this task as Invalid.Feb 16 2023, 3:48 PM
sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.
sbassett subscribed.

Closing as invalid for the same reason specified at T324323#8621982.

sbassett triaged this task as Lowest priority.Feb 16 2023, 3:48 PM
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Informational.
Emicbie22 added a comment.Feb 18 2023, 6:19 PM
This comment was removed by Emicbie22.
Emicbie22 updated the task description. (Show Details)Feb 18 2023, 6:20 PM
Emicbie22 renamed this task from Account takeover - Account protection to NahError.Feb 18 2023, 6:25 PM
Emicbie22 updated the task description. (Show Details)
Emicbie22 updated the task description. (Show Details)
Emicbie22 updated the task description. (Show Details)
Emicbie22 updated the task description. (Show Details)Feb 18 2023, 6:27 PM
JJMC89 renamed this task from NahError to Account takeover - Account protection.Feb 18 2023, 6:30 PM
JJMC89 updated the task description. (Show Details)
Bawolff subscribed.Feb 18 2023, 11:16 PM

Hi, why did you not ask me about make this public?

In general, if you submit a bug report to an open source project, the expectation is it will be public. If you don't want that to happen you need to specify and negotiate that up front. [This is my personal view only. I dont work for WMF so this is not an official statement]

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL