Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 367533

Summary: Reset Password allows to hijack accounts for SSH access (and other options)
Product: Community Reporter: Gunnar Wagenknecht <gunnar>
Component: WebsiteAssignee: phoenix.ui <phoenix.ui-inbox>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: P2 CC: contact, david_williams, wayne.beaton
Version: unspecifiedKeywords: security
Target Milestone: ---   
Hardware: All   
OS: All   
Whiteboard:

Description Gunnar Wagenknecht CLA 2011-12-24 04:12:40 EST 
Using the "Reset Password" feature is now super easy for any experienced attacker to gain access to the Eclipse.org infrastructure. With a little bit of social engineering one just needs to find out the email address of a committer with shell access. The hacker then enters the email address and monitors/sniffs SMTP traffic to get the password. Done.

A reset password procedure should involve at least a two-step process including a personal questions with answers that are known to the user.

There is a good read here:
http://www.fishnetsecurity.com/Resource_/PageResource/White_Papers/FishNetSecurity_SecureForgotPassword.pdf
(3rd hit on Google for "forgot password best practices")

Basic idea:
1. Get hard facts about the user (such as userid/email/birthday/city)
2. Ask personal security questions
3. Allow user to reset password
4. Display success message
Comment 1 Denis Roy CLA 2011-12-24 07:21:15 EST 
+1  I wouldn't say "super easy" but the reset needs to be much more robust.
Comment 2 Denis Roy CLA 2011-12-28 21:55:30 EST 
In the meanwhile, I've changed the process to send out a 64-byte token (instead of a new password).  When the user confirms the token, they can change the password.
Comment 3 Gunnar Wagenknecht CLA 2012-01-02 07:01:02 EST 
Denis, I think there is a flaw in the processes. One of my co-workes wanted to reset his password today but he couldn't.


"You have already submitted a request. This request has been ignored. (8727s)"

I think it should just generate a new token each time.
Comment 4 Denis Roy CLA 2012-01-02 19:18:51 EST 
> I think it should just generate a new token each time.

I want to avoid having someone script password resets for everyone.  Having an IP-based restriction was all I could come up with within the time I had.  It will expire  :)
Comment 5 Gunnar Wagenknecht CLA 2012-01-03 02:08:31 EST 
(In reply to comment #4)
> I want to avoid having someone script password resets for everyone.  Having an
> IP-based restriction was all I could come up with within the time I had.  It
> will expire  :)

So that explains why mine was also blocked. :)

I probably asked you that before but... What about http://www.google.com/recaptcha? As a positive side-effect it helps digitizing books. I think it's also a good thing to start asking for a captcha after the second failed password attempt.
Comment 6 Denis Roy CLA 2012-01-03 13:44:26 EST 
Yep, recaptcha is next ...   I am but one man   :)
Comment 7 Gunnar Wagenknecht CLA 2012-01-04 02:45:19 EST 
(In reply to comment #6)
> Yep, recaptcha is next ...   I am but one man   :)

I'm pushing you very hard on this one, ain't I? But you are doing great and I got the message. I'm happy to owe you a beer or two in March. :)
Comment 8 Denis Roy CLA 2012-01-05 15:30:36 EST 
> I'm pushing you very hard on this one, ain't I? 

Yes, and I appreciate it.  This service needs to be top-notch, and I need people like yourself watching over my shoulder and keeping me honest.

I'm the one who owes you a beer.  Thanks.
Comment 9 Wayne Beaton CLA 2012-03-22 10:21:29 EDT 
What is the status of this bug?
Comment 10 Denis Roy CLA 2012-03-22 10:37:58 EDT 
I'll close this as fixed since the original problem has been addressed.  recaptcha would be nice, though.