Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

When changing password or email address, require to type old password #2932

Closed
mattab opened this issue Feb 15, 2012 · 3 comments · Fixed by #13683
Closed

When changing password or email address, require to type old password #2932

mattab opened this issue Feb 15, 2012 · 3 comments · Fixed by #13683
Assignees
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Milestone

Comments

@mattab
Copy link
Member

mattab commented Feb 15, 2012

If you leave Piwik open and logged in, anyone accessing the computer could change the email address or the password. Changing email address would allow to "reset" the password.

Therefore, as an extra security measure, we should require the old password to change the password or the email address.

When changing other settings inputting the password wouldn't be necessary.

@mattab mattab added this to the 2.x - The Great Piwik 2.x Backlog milestone Jul 8, 2014
@mattab mattab removed the P: normal label Aug 3, 2014
@mattab
Copy link
Member Author

mattab commented Sep 4, 2014

see also #6125

@mattab mattab modified the milestones: Long term, Mid term Dec 5, 2016
@mattab
Copy link
Member Author

mattab commented Sep 3, 2018

Rather than typing the old password in the page, maybe on submit, it could redirect to the login form with only the password field and ask to enter password there? (Like Github does)

@mattab
Copy link
Member Author

mattab commented Oct 2, 2018

Also, and this is important:

  • the API that updates password (eg. at least updateUser API) will need to enforce the same protections, ie. require to input the user password as a parameter, before changing the user password

otherwise one attacker could easily write a XSS that calls the API to change password and bypass the "Enter your password" protection.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants