[standards-jig] JEP-0077 Password Changing Security Flaw

JD Conley jconley at winfessor.com
Fri Jan 23 04:29:20 UTC 2004


I know this spec has been around forever, but it has come to my
attention that it carries with it a crucial security flaw.  You can
change a password without knowing the original password.  Yes, I know
you have to be authed.  What if someone could walk up to a shell you
happened to leave open, type "passwd" and proceed to set a new password
for you?  This is exactly what can happen with the current protocol.

Let's say I walk away from my PC and leave my Jabber client running.  My
arch enemy Evil Coworker decides to change my password.  Since I'm
already logged in, all he has to do is enter the new password.  He can
then go over to his own desk, log-in as me, and tarnish my squeky clean
reputation.

The answer for avoiding this situation is simple.  All we have to do is
enforce that both the old and new passwords are sent in the password
change request.  This is how every other password system I've ever seen
works.  

<iq type="set">
    <query xmlns="jabber:iq:register">
        <username>jconley</username>
        <oldpassword>password</oldpassword>
        <password>p4ssw0rd</password>
    </query>
</iq>

Comments?

JD



More information about the Standards mailing list