Security vulnerabilities

Attached to Project: Security vulnerabilities
Opened by cyberoy - 12.10.2024
Last edited by cbay - 28.10.2024

A vulnerability was identified on the alwaysdata account password reset feature that allows previously generated password reset links to remain functional even after a new reset link has been requested. This flaw can potentially allow unauthorized users to exploit old links and reset passwords, even when a user has already generated a new password reset link.

Steps to Reproduce:
1.Go to the password reset page: https://admin.alwaysdata.com/password/lost/ 2.Request a password reset link by entering your email at 10:00 AM.
3.Copy and save the password reset link received in the email (without using it).
4.At 10:05 AM, request a new password reset link by entering the same email.
5.Use the most recent password reset link received at 10:05 AM to reset your password.
6.Now, attempt to use the first password reset link received at 10:00 AM to reset the password again.
7.Observe that the first password reset link (from 10:00 AM) is still valid and allows you to reset the password, even though a new link was generated at 10:05 AM.

Impact
This vulnerability enables an attacker or malicious user to exploit old, still-active password reset links, even after a new reset link has been generated. This could potentially lead to account compromise and unauthorized access, posing a significant security risk to user accounts.

Recommendation:
Invalidate Old Password Reset Links: Ensure that when a new password reset link is generated, all previously issued links are immediately invalidated.
Token Management: Implement a more secure token management system where each password reset token is tracked, and all previous tokens are invalidated once a new token is generated. Only the latest reset token should be valid at any given time.