Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Persona Password Reset Phishing Flaw
2 points by _urga on Oct 10, 2012 | hide | past | favorite | 3 comments
I just tried to reset my Persona password and was surprised by the flow:

1. Persona asked me to choose a new password and confirm it, right then and there.

2. I received an email with this text "Forgot your password for Persona? It happens to the best of us. Click here to reset your password."

3. Clicking that link provided no further confirmation before changing my password.

Usually, a password reset link is sent by email, and the user then chooses a new password. This means that it's always the user who chooses the password. Users are conditioned to this. Even if somebody else generates a password reset email, the user can just ignore it, or even if they then decide they want to reset their password, they can follow the link and reset their password.

With Persona, however, someone else gets to choose the password. The user gets sent an email that looks no different from the usual password reset email. But if they just so much as click that link then someone else has changed their password. I can imagine some users might be surprised, trust Persona, and close the tab.



Indeed, you're not the only one confused by this flow, which is why there's an open bug for it: https://github.com/mozilla/browserid/issues/1232


Thanks for the feedback!

> 3. Clicking that link provided no further confirmation before changing my password.

Try doing that from another browser :) Persona only skips confirmation if you hit the reset link from the same browser that requested the reset.

Edit: More info at https://github.com/mozilla/browserid/issues/2499#issuecommen...

Which is really interesting, because Persona is doing the right thing, but giving the impression of not doing the right thing. Hm.


Thanks Dan.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: