Security Issue / Reset Password

HI, Im running Meteor 1.2.1

Hi, i have serious issue i need help with.

Users have confirmed password reset emails sent to them and their passwords were changed. I just noticed because I also got an email about password reset. I did not click it, it was unopened, my email did not get compromised and also not the other users but their password got changed, also mine.

I can see the emails in the mandrill backend. They have not ben clicked or opened (mandrill tracks this)

This happened to 5 users, i also do not know how someone knew their emails or mine (it was my private email),
(Bruteforce email addresses?)

I did not change any code for a long time! So I am concerned this might happen again, is there maybe any Token entropy issue in older meteor 1.2.1 ???

I checked:

  1. My emails and other users emails were send through mandrill, i changed mandrill API keys just to be sure. this is somehow the only vector i can really be unsure about.
  2. I checked my login method everything works as it should, i need the token to change the password and login
  3. access to my email and all other users email i think is rather impossable. this happened in a 2 minute window
  4. It needs the correct token for changing someones password. How could someone get access to the token without access to their email???

Thank you.

There are many ways an attacker could get your e-mail. For starters check here:

i have not been available to reproduce this issue. is bugging me so much.

How did he get the reset link / token if its generated server side.

I use mandrill, could it been a mandrill admin??

If the attacker knows what system you are using there is a potential that they might find something that you forgot to forbid or something like that. In this case, they can just use the console to trigger the reset password routine. Getting to the reset token is another issue entirely. Try to type in the command into the console on your site and see what happens if it returns any value. If they are sophisticated enough they could possibly intercept those e-mails.

There have been some changes done to tokens in more recent versions:

You should update just to be sure.

Can emails to mandrill from the meteor server be intercepted? When the email tunnel is not encrypted?

In theory yes, even if encrypted. If encrypted that just means they won’t be able to make anything of it (again unless they have the resources to break the encryption). It all depends on their efforts and resources. Though I would consider that unlikely unless your app is would make a target that would warrant such resources. Question is if the link to password reset isn’t leaking somewhere.

Mh, Im not sure, I dont think the token is leaking client facing

only if

Accounts.forgotPassword(options, [callback])
with some inject can return the token

Accounts.resetPassword(token, newPassword, [callback])
can be spoofed into using the token

My login log clearly shows the token is used with the resetPassword method

Maybe you have published the Meteor users collection?

Have you installed Meteor dev tools for Chrome? The dev tools have got some good security checks you can do on your app.

Hi, we dont publish the collections.

We have been running for a year and followed he allow/deny and publication subscription rules.

With Meteor dev tools everything is on green.

Do you allow access from public machines (like Internet cafes), where credentials could remain on the workstation?

Sure but it was 5 emails from 5 users from all over the world.