[CWD-86] Anyone can reset anyone elses password

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 2.1
Affects Version/s: None
Component/s: Core features
Labels:
None

Bug Fix Policy:
View Atlassian Server bug fix policy

Currently anyone can reset anyone else's password if they know the username. It would be better if Crowd mailed them a link that gave them the option to reset the password, and ignore otherwise.

duplicates

CWD-1875 Update Forgotten Password workflow to Atlassian standard

Closed

is incorporated by

CWD-1875 Update Forgotten Password workflow to Atlassian standard

Closed

Monique Khairuliana (Inactive) made changes - 15/Aug/2019 7:04 AM

Workflow	Original: Simplified Crowd Development Workflow v2 - restricted [ 1509314 ]	New: JAC Bug Workflow v3 [ 3364000 ]
Status	Original: Resolved [ 5 ]	New: Closed [ 6 ]

Owen made changes - 07/Jul/2016 6:18 AM

Workflow

Original: Simplified Crowd Development Workflow v2 [ 1391100 ]

New: Simplified Crowd Development Workflow v2 - restricted [ 1509314 ]

Owen made changes - 12/May/2016 2:51 AM

Workflow

Original: Crowd Development Workflow v2 [ 273625 ]

New: Simplified Crowd Development Workflow v2 [ 1391100 ]

jawong.adm made changes - 15/Dec/2010 10:50 PM

Workflow

Original: JIRA Bug Workflow v2 [ 173325 ]

New: Crowd Development Workflow v2 [ 273625 ]

David O'Flynn [Atlassian] made changes - 25/Jun/2010 6:49 AM

Fix Version/s		New: 2.1 [ 14496 ]
Resolution		New: Fixed [ 1 ]
Status	Original: Open [ 1 ]	New: Resolved [ 5 ]

shihab added a comment - 06/May/2010 12:01 AM

The solution to this problem is defined in the linked issue (~~CWD-1875~~).

shihab added a comment - 06/May/2010 12:01 AM The solution to this problem is defined in the linked issue ( CWD-1875 ).

shihab made changes - 06/May/2010 12:01 AM

Link

New: This issue duplicates ~~CWD-1875~~ [ ~~CWD-1875~~ ]

Aleksejs Mjaliks added a comment - 04/May/2010 6:46 PM

How about captcha challenge?

Aleksejs Mjaliks added a comment - 04/May/2010 6:46 PM How about captcha challenge?

T Chan added a comment - 04/May/2010 4:41 PM

This is a trivial denial-of-service attack. Knowing someone's username should not let you reset their password.

Some sort of password-change-confirmation rate-limiting would be usful (e.g. it doesn't send more than one per day, reset when the user changes passwords).

Secret questions a terrible idea, if only because they will almost certainly be used wrong.

T Chan added a comment - 04/May/2010 4:41 PM This is a trivial denial-of-service attack. Knowing someone's username should not let you reset their password. Some sort of password-change-confirmation rate-limiting would be usful (e.g. it doesn't send more than one per day, reset when the user changes passwords). Secret questions a terrible idea, if only because they will almost certainly be used wrong.

David O'Flynn [Atlassian] made changes - 21/Apr/2010 3:24 AM

Link

New: This issue is incorporated by ~~CWD-1875~~ [ ~~CWD-1875~~ ]

Assignee:: Justen Stepka [Atlassian]

Reporter:: Steve Smith (Inactive)

Affected customers:: 11 This affects my team

Watchers:: 6 Start watching this issue

Created:: 20/Dec/2006 5:24 AM

Updated:: 15/Aug/2019 7:04 AM

Resolved:: 25/Jun/2010 6:49 AM

Details

Description

Attachments

Issue Links

Forms

Activity

Collapse comment: shihab added a comment - 06/May/2010 12:01 AM

Expand comment: shihab added a comment - 06/May/2010 12:01 AM

Collapse comment: Aleksejs Mjaliks added a comment - 04/May/2010 6:46 PM

Expand comment: Aleksejs Mjaliks added a comment - 04/May/2010 6:46 PM

Collapse comment: T Chan added a comment - 04/May/2010 4:41 PM

Expand comment: T Chan added a comment - 04/May/2010 4:41 PM

People

Dates