[standards-jig] JEP-0077 Password Changing Security Flaw

Peter Saint-Andre stpeter at jabber.org
Fri Jan 23 05:04:55 UTC 2004

Precisely. The old rule is, if someone has physical access to your
machine, there is not much a protocol can do to prevent damage.

If you feel this is an important feature, you can always use the
extension mechanism defined in JEP-0077 (i.e., x:data) to implement 
the desired functionality. Or turn off in-band registration entirely.

But I will add something about this to the security considerations...


On Thu, Jan 22, 2004 at 09:46:20PM -0700, Matthew A. Miller wrote:
> Or you could lock your workstation.  If someone malicious haa enough 
> access to your workstation to change that password, what's to stop them 
> from using your e-mail client?  Or deleting all your critical files?
> I think having your Evil Coworker changing your Jabber account password 
> is the least of your worries...
> -  LW
> Dudley Carr wrote:
> >JD Conley wrote:
> >
> >>I know this spec has been around forever, but it has come to my
> >>attention that it carries with it a crucial security flaw.  You can
> >>change a password without knowing the original password.  Yes, I know
> >>you have to be authed.  What if someone could walk up to a shell you
> >>happened to leave open, type "passwd" and proceed to set a new password
> >>for you?  This is exactly what can happen with the current protocol.
> >>
> >>Let's say I walk away from my PC and leave my Jabber client running.  My
> >>arch enemy Evil Coworker decides to change my password.  Since I'm
> >>already logged in, all he has to do is enter the new password.  He can
> >>then go over to his own desk, log-in as me, and tarnish my squeky clean
> >>reputation.
> >>
> >>The answer for avoiding this situation is simple.  All we have to do is
> >>enforce that both the old and new passwords are sent in the password
> >>change request.  This is how every other password system I've ever seen
> >>works.  
> >
> >
> >Or the client could just prompt you for the old and new password, 
> >check the old password against the password used when logging-in 
> >(assuming the client saved it), and send off the request if and only 
> >if the passwords matched.

More information about the Standards mailing list