I'm on v10, AspNetCore + Angular.
I have noticed that an account is put into "password reset" state immediately upon submitting the "forgot password" form.
This does not seem like a very user friendy flow - as once in this state, the user cannot get into their account until they have satisfied the "reset password" form (i.e, set a new password).
Given that anybody can access the "forgot password" page - it allows anonymous people to mess with anyone's account, by forcing them to change their password. This could be pivoted into a denial of service, or used in combination with social engineering to maliciously access protected systems.
Here is the specific scenario.
- Anonymous users fills out "forgot password" form, for any valid user account
- The victim user attempts to log into their account, and is forced to the "set a new password" page
Suggestion: Just like most websites I have ever used - if I successfully log in, even when a valid password-reset request is underway, the password reset is canceled, and the user is allowed into the account.
Note: This should obvously not allow bypassing of forced password resets, i.e, when a breach of an account password has been suspected. It's a password-reset use-case specific to the 'forgotten password' scenario.
Thank you for sharing this. Could you create an issue on https://github.com/aspnetzero/aspnet-zero-core ? We can include this to the next version.