At this moment there is very simple way to Account takeover (here as an example MediaWiki account). The current proccess / approach is invalid. Dangerous. Insufficient account protection.
Description:
This vulnerability is connected with CWE-640: Weak Password Recovery Mechanism for Forgotten Password and CWE-345: Insufficient Verification of Data Authenticity.
Note - You need for repro steps: account on mediawiki.org + two emails (for testing purposes you can use your_email and your_email+alias - as another one).
In this case as a 'bad actor' can be everyone who received mistaken email.
Repro steps (PoC):
(victim side)
- User (as logged in) wants to change an email, so go to: https://www.mediawiki.org/wiki/Special:ChangeEmail
- Type/change email to invalid from point of user's view, which user not own (misspell / mistake)
- See message - changed sucessfully:
Change or remove email address
A confirmation email has been sent to the specified email address. Before any other email is sent to the account, you will have to follow the instructions in the email, to confirm that the account is actually yours.
(bad actor side)
- Open email sent to "wrong address" (ie.: with other browser type and with incognito/private mode), see message:
To confirm that this account really does belong to you and reactivate email features on MediaWiki, open this link in your browser:
https://www.mediawiki.org/wiki/Special:ConfirmEmail/[chars]
- Click that link to Confirm (as a Bad Actor)
- See info:
Confirm email address
Your email address has been confirmed. You may now log in and enjoy the wiki.
- Return to Special:UserLogin. So click Log in https://www.mediawiki.org/wiki/Special:UserLogin - BUT bad actor don't know the password or login, YET.
Reset password
Fill in one of the fields to receive a temporary password via email."
Add your mail (bad actor's email, from step nr 4; ie.: your_email_example+alias1@gmail.com )
- Click Reset password, see message:
You have requested a password reset.
If the information submitted is valid, a password reset email will be sent. If you haven't received an email, we recommend that you visit the reset password help page or try again later. You can only request a limited number of password resets within a short period of time. Only one password reset email will be sent per valid account every 24 hours in order to prevent abuse.
The details you submitted are:
Email address: your_email_example+alias1@gmail.com
Return to MediaWiki.
- Log in again to that "wrong / bad actor's email"
- See message:
Username: [real_victim_username] and Temporary password: [temp_pw]
Use instruction (username and temp password) from this email to login in.
See message:
You logged in with a temporary emailed code. To finish logging in, you must set a new password here:
- Set a new password (new + retype new password)
See that you're Logged in - account Takeover.
Additional information:
Security impact in this case is account takeover (credentials takeover, sensitive data from account, auth etc). Bad actor will has access to all data and account content.
Mistakes are common, everyone can misspell email address (people have a different addresses - as it's more difficult to write, as it's more simple to made a mistake).
I've decided to report this for you also because I've made a quick research and saw that well-protected companies don't have this issue (can't repro there), so I wanted let you know.
In general I saw (I'm really happy of that) different effective approaches. Adapted to their current architecture and work flow (cheap as well as expensive I suppose).
I really liked that they sometimes seemed to be a very simple solution, but at the same time they were very secure.
Scenario in this case is simple - user made a misspell email address & bad actor will try to takeover account as simply as possibly - with data and ways which were be given in simply way.
It seems to me that this is currently quite underestimated, while the consequences of an incorrect approach are huge.
Quick solution - don't update user's email address immediately - and after this there is many ways of choice for next steps of solution.
I hope it will be helpful. If any questions please fell free to ask.