Opened 9 years ago

Closed 9 years ago

#3337 closed defect (fixed)

security issue during registering new account at OSM

Reported by: malenki Owned by: Tom Hughes
Priority: minor Milestone:
Component: website Version:
Keywords: Cc: osmbugs@…


While registering for an account at OSM, one has to type in a password twice. After that one gets an email with a link to verify the account to be created.

This link can be used by any third person (e.g. MITM) to verify the account and change the password without having to know the password chosen at registration time.

Change History (4)

comment:1 Changed 9 years ago by woodpeck

Priority: majorminor

Please explain why this is a security risk.

Why should the "man in the middle" wait until you register an account, rather than simply registering an account in your name in the first place, something that has always been possible? What does the "man in the middle" gain from hijacking an account that hasn't been used yet and that won't be used in the future?

comment:2 Changed 9 years ago by malenki

I am not the one creating exploits nor am I evil enough what people would/could do with some issues I just stumble over them.

At least the possibility to change the password without having to tell the recent one is (imo, of course) no lucky solution.

comment:3 Changed 9 years ago by malenki

I forgot some words above:

[...] am I evil enough _to dream of_ what people would/could [...]

comment:4 Changed 9 years ago by Tom Hughes

Resolution: fixed
Status: newclosed

I think the point here is that if somebody has gone to the trouble of either hacking into your email or somehow tapping your network traffic and extracting your email from it then they will have much more interesting things to look for in it than an OSM account confirmation email...

None the less I have made changes to block this by ensuring that new users are not automatically logged in unless they are using the same web browser used to create the account.

Note: See TracTickets for help on using tickets.