[standards-jig] JEP-0077 Password Changing Security Flaw

Matthew A. Miller linuxwolf at outer-planes.net
Fri Jan 23 04:46:20 UTC 2004

Or you could lock your workstation.  If someone malicious haa enough 
access to your workstation to change that password, what's to stop them 
from using your e-mail client?  Or deleting all your critical files?

I think having your Evil Coworker changing your Jabber account password 
is the least of your worries...

-  LW

Dudley Carr wrote:

> JD Conley wrote:
>> I know this spec has been around forever, but it has come to my
>> attention that it carries with it a crucial security flaw.  You can
>> change a password without knowing the original password.  Yes, I know
>> you have to be authed.  What if someone could walk up to a shell you
>> happened to leave open, type "passwd" and proceed to set a new password
>> for you?  This is exactly what can happen with the current protocol.
>> Let's say I walk away from my PC and leave my Jabber client running.  My
>> arch enemy Evil Coworker decides to change my password.  Since I'm
>> already logged in, all he has to do is enter the new password.  He can
>> then go over to his own desk, log-in as me, and tarnish my squeky clean
>> reputation.
>> The answer for avoiding this situation is simple.  All we have to do is
>> enforce that both the old and new passwords are sent in the password
>> change request.  This is how every other password system I've ever seen
>> works.  
> Or the client could just prompt you for the old and new password, 
> check the old password against the password used when logging-in 
> (assuming the client saved it), and send off the request if and only 
> if the passwords matched.
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> http://mailman.jabber.org/listinfo/standards-jig

More information about the Standards mailing list