Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-69961

Forgot password tokens should be invalidated when account email address changes

    XMLWordPrintable

    Details

    • Affected Branches:
      MOODLE_310_STABLE, MOODLE_37_STABLE, MOODLE_38_STABLE, MOODLE_39_STABLE

      Description

      We should only be accepting tokens sent to an account's current email address, so when a user's email account is updated, we should invalidate tokens used in password reset (forgotten password) links sent to the old address. (It would be worth also having a look for  any other similar tokens that may need similar treatment.)

      Given the (default) short life of such tokens and the fact that they are single use, this is a fairly edge case, but is a valid fix to comply with security best practice. Taking that into account along with the low risk of being an exploitable issue, I've marked this as a security benefit, and not assigned a security level.

       

      Written up by Michael Hawkins, based on reports by vivek and Saurabh Mhatre

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            michaelh Michael Hawkins
            Participants:
            Component watchers:
            Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Sujith Haridasan
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated: