Ensure the requester of MagicLink is the one to use it #1981
udiudi
started this conversation in
Ideas and Issue Triage
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
It's not a critical vulnerability, but I think it should be addressed to tighten the authentication process.
Simple Reproduction Steps
I'll use Fizzy's seed data as an example:
david@37signals.comsigns-in, has a screen to write the code (and an email is sent).jason@37signals.comsigns-in, has a screen to write the code. Ifjason@37signals.comwritesdavid@37signals.com's code (for whatever security breach), he's signed-in asdavid@37signals.comas a result.The Riskier Scenarios
This vulnerability can allow phishing attacks - as we usually see in the realm of two-factor auth ("You got a code in your email, can you send it over?").
Not very critical - but should be addressed, IMO.
The Fix
Ensuring that the user who requests a magic link is the only one who can use it to sign-in with a session based check
session[:pending_auth_email].Proposed PR here
Beta Was this translation helpful? Give feedback.
All reactions