[standards-jig] JEP-0077 Password Changing Security Flaw

JD Conley jconley at winfessor.com
Fri Jan 23 05:02:22 UTC 2004


Obviously you should lock your workstation.  I'm not talking about
security in that context.  I'm talking about a flaw in the protocol.

There's nothing to stop them from being as malicious as they want.  But
they sure couldn't change your domain or local passwords, and go login
at their own workstation.  To do that they'd have to enter in your old
password.  I think the more security in place, the better.  Especially
when it's something so simple.

JD

> -----Original Message-----
> From: Matthew A. Miller [mailto:linuxwolf at outer-planes.net] 
> Sent: Thursday, January 22, 2004 8:46 PM
> To: standards-jig at jabber.org
> Subject: Re: [standards-jig] JEP-0077 Password Changing Security Flaw
> 
> Or you could lock your workstation.  If someone malicious haa enough 
> access to your workstation to change that password, what's to 
> stop them 
> from using your e-mail client?  Or deleting all your critical files?
> 
> I think having your Evil Coworker changing your Jabber 
> account password 
> is the least of your worries...
> 
> 
> -  LW
> 
> Dudley Carr wrote:
> 
> > JD Conley wrote:
> >
> >> I know this spec has been around forever, but it has come to my
> >> attention that it carries with it a crucial security flaw.  You can
> >> change a password without knowing the original password.  
> Yes, I know
> >> you have to be authed.  What if someone could walk up to a 
> shell you
> >> happened to leave open, type "passwd" and proceed to set a 
> new password
> >> for you?  This is exactly what can happen with the current 
> protocol.
> >>
> >> Let's say I walk away from my PC and leave my Jabber 
> client running.  My
> >> arch enemy Evil Coworker decides to change my password.  Since I'm
> >> already logged in, all he has to do is enter the new 
> password.  He can
> >> then go over to his own desk, log-in as me, and tarnish my 
> squeky clean
> >> reputation.
> >>
> >> The answer for avoiding this situation is simple.  All we 
> have to do is
> >> enforce that both the old and new passwords are sent in 
> the password
> >> change request.  This is how every other password system 
> I've ever seen
> >> works.  
> >
> >
> > Or the client could just prompt you for the old and new password, 
> > check the old password against the password used when logging-in 
> > (assuming the client saved it), and send off the request if 
> and only 
> > if the passwords matched.
> > _______________________________________________
> > Standards-JIG mailing list
> > Standards-JIG at jabber.org
> > http://mailman.jabber.org/listinfo/standards-jig
> 
> 
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> http://mailman.jabber.org/listinfo/standards-jig
> 



More information about the Standards mailing list