[standards-jig] JEP:0015 Account Transfer

Casey Crabb debug at nafai.dyndns.org
Thu Jan 24 18:00:03 UTC 2002


On Thu, 2002-01-24 at 11:55, Iain Shigeoka wrote:
> :)  I seem to be playing old curmudgeon/devil's advocate a lot lately...
> You may want to crosspost this to the security-jig list to have the security
> team look at this issue (if you want a security breakdown).  (However, in
> the last Foundation meeting we tentatively decided to try and rework the JIG
> system to avoid this sort of problem of not having the right people see
> issues... Sorry I digress.)
> 
> OK.  Here's one I thought of as I read your description.
> 
> Scenario (rogue server): I (rogue spammer) set up a script that slams your
> server that supports account transfer.  The script simply floods your server
> with account transfer requests acting like a server.  Since you allow
> account transfers, and must expect that a single server may legitimately
> make many of these requests, your server accepts them.  The script then
> proceeds to spam the world through your server using all of these accounts.
> A normal server could limit the number of registrations from a single IP to
> prevent spammer account creation, prevent "open" registrations, etc...

Devil's advocate is an important role.
I don't see the above compromise working though because the
AccountTransfer request has to be initiated by the server currently
holding the account. The AccountTransfer request has to be honored by
the Account your are transfering to (ie you have to already have created
the account and logged into it). This means that random rouge can't ask
to have an account transferred to him. 
Asking the tertserver to modify a roster may have the hole you are
describing, but dialback can verify identity. So if olduser is on
tertuser's roster there is already an established relationship; if
oldserver says that olduser is moving account to newuser at newserver
they can dialback oldserver to verify this.
What the attacker would need to do is hijack the oldserver.

Am I missing it?

-Casey





More information about the Standards mailing list