Ensure the requester of MagicLink is the one to use it #1981
Replies: 1 comment 2 replies
-
|
Hey @udiudi, I ported your PR over to our repo and added you as the co-author. |
Beta Was this translation helpful? Give feedback.
2 replies
-
|
Thank you @monorkin, it's fine by me |
Beta Was this translation helpful? Give feedback.
-
|
I just merged the PR. Thank you for contributing this @udiudi ! |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
It's not a critical vulnerability, but I think it should be addressed to tighten the authentication process.
Simple Reproduction Steps
I'll use Fizzy's seed data as an example:
[email protected]signs-in, has a screen to write the code (and an email is sent).[email protected]signs-in, has a screen to write the code. If[email protected]writes[email protected]'s code (for whatever security breach), he's signed-in as[email protected]as a result.The Riskier Scenarios
This vulnerability can allow phishing attacks - as we usually see in the realm of two-factor auth ("You got a code in your email, can you send it over?").
Not very critical - but should be addressed, IMO.
The Fix
Ensuring that the user who requests a magic link is the only one who can use it to sign-in with a session based check
session[:pending_auth_email].Proposed PR here
Beta Was this translation helpful? Give feedback.
All reactions