New Relic: Missing security best practices (leads to further impact)

2018-07-23T15:39:29
ID H1:385420
Type hackerone
Reporter badcracker
Modified 2018-07-24T23:04:08

Description

Vulnerabilities:- 1.Use of old passwords is possible(current password can be used as new password). 2.Email notification is not being sent to linked mail account while changing passwords

steps to reproduce the two issues

*create account with password example badcracker@123

*change password to badcracker@123 and you will see it is accepted

  • check email you will see no email is sent duo to the changing of password

->I hope that you will consider this report and resolve it.And also i am ready to give any more info if you want regarding this issue.

Impact

Case-1:- ->whenever a user requests a reset token for recovery of his account,a reset token is being to his linked mail account.so,he can set a new password in next step. ->but,here the bug is that newrelic is again accepting the current password(that is,forgotten password by the user). ->the problem is that,today attackers are accessing particular user account by knowing his other account passwords in other sites and also by knowing the old passwords used by him. ->so,allowing users to set old password is some what a typical issue.

Case-2:- -> If an attacker change the password of user account ,then the email(e.g. your password has been reset) is not being sent to user mail id. ->So,finally by using other method if an attacker hijacks/access the password reset token/user gmail account and reset the password,in that case missing of this protection will also leads to privilege escalation of the attacker.

Necessity for implementing this security practice:- ->for security purpose,if these emails are been sent to user,then it will help user to know immediately that his account is in danger.so,that an immediate remediation step can be taken by the user to protect his account. Conclusion:- ->Finally,do not implementing mail server configuration is leading to these many issues and also failing to implement this practice in turn leads to further impact. ->At the end,atleast users should have one chance to take remedy step immediately if their accounts are hacked.