[standards-jig] JEP-0077 Password Changing Security Flaw
stpeter at jabber.org
Fri Jan 23 05:04:55 UTC 2004
Precisely. The old rule is, if someone has physical access to your
machine, there is not much a protocol can do to prevent damage.
If you feel this is an important feature, you can always use the
extension mechanism defined in JEP-0077 (i.e., x:data) to implement
the desired functionality. Or turn off in-band registration entirely.
But I will add something about this to the security considerations...
On Thu, Jan 22, 2004 at 09:46:20PM -0700, Matthew A. Miller wrote:
> Or you could lock your workstation. If someone malicious haa enough
> access to your workstation to change that password, what's to stop them
> from using your e-mail client? Or deleting all your critical files?
> I think having your Evil Coworker changing your Jabber account password
> is the least of your worries...
> - LW
> Dudley Carr wrote:
> >JD Conley wrote:
> >>I know this spec has been around forever, but it has come to my
> >>attention that it carries with it a crucial security flaw. You can
> >>change a password without knowing the original password. Yes, I know
> >>you have to be authed. What if someone could walk up to a shell you
> >>happened to leave open, type "passwd" and proceed to set a new password
> >>for you? This is exactly what can happen with the current protocol.
> >>Let's say I walk away from my PC and leave my Jabber client running. My
> >>arch enemy Evil Coworker decides to change my password. Since I'm
> >>already logged in, all he has to do is enter the new password. He can
> >>then go over to his own desk, log-in as me, and tarnish my squeky clean
> >>The answer for avoiding this situation is simple. All we have to do is
> >>enforce that both the old and new passwords are sent in the password
> >>change request. This is how every other password system I've ever seen
> >Or the client could just prompt you for the old and new password,
> >check the old password against the password used when logging-in
> >(assuming the client saved it), and send off the request if and only
> >if the passwords matched.
More information about the Standards