Password change without identity check

Need

Ensure only the authentic user can change the account password

Context

• Usage of Elixir for building scalable and fault-tolerant applications

• Usage of Phoenix Framework for building web applications

• Password reset without identity verification

Description

1. Non compliant code

defmodule VulnerableController do
  use MyApp.Web, :controller

  def change_password(conn, %{"new_password" => new_password}) do
    user = get_current_user(conn)
    User.change_password(user, new_password)
    send_resp(conn, 200, "Password changed")
end...

The following Elixir code is vulnerable because it allows users to change their passwords without verifying their current password. An attacker who has access to a user's session could change the password without the user's knowledge.

2. Steps

• Require the current password when a user attempts to change their password.

• Consider implementing a second form of identity verification (e.g., email confirmation, OTP).

3. Secure code example

defmodule SecureController do
  use MyApp.Web, :controller

  def change_password(conn, %{"current_password" => current_password, "new_password" => new_password}) do
    user = get_current_user(conn)
    if User.check_password(user, current_password) do
      User.change_password(user, new_password)
    else...

The following Elixir code is secure because it requires the current password to change the password. This helps ensure that the request is made by the legitimate user.

References

• 033. Password change without identity check

On this page