Base solution for your next web application
Open Closed

Forgotten password (reset) feature allows interruption of any users' account access #11320


User avatar
0
hra created

I'm on v10, AspNetCore + Angular.

I have noticed that an account is put into "password reset" state immediately upon submitting the "forgot password" form.

This does not seem like a very user friendy flow - as once in this state, the user cannot get into their account until they have satisfied the "reset password" form (i.e, set a new password).

Given that anybody can access the "forgot password" page - it allows anonymous people to mess with anyone's account, by forcing them to change their password. This could be pivoted into a denial of service, or used in combination with social engineering to maliciously access protected systems.

Here is the specific scenario.

  1. Anonymous users fills out "forgot password" form, for any valid user account
  2. The victim user attempts to log into their account, and is forced to the "set a new password" page

Suggestion: Just like most websites I have ever used - if I successfully log in, even when a valid password-reset request is underway, the password reset is canceled, and the user is allowed into the account.

Note: This should obvously not allow bypassing of forced password resets, i.e, when a breach of an account password has been suspected. It's a password-reset use-case specific to the 'forgotten password' scenario.


2 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    Thank you for sharing this. Could you create an issue on https://github.com/aspnetzero/aspnet-zero-core ? We can include this to the next version.

  • User Avatar
    0
    hra created

    Hi @ismcagdas, while putting together issue details, it is no longer reproducing. Very odd. I will close this ticket, and raise an issue via github if I can figure out repro steps.