在Devise中使用明文电子邮件确认令牌有什么漏洞?

时间:2022-10-23 19:09:50

Devise uses email confirmation tokens with one-way encryption.

Devise使用带有单向加密的电子邮件确认令牌。

The UX cost to this is that if a new confirmation email is sent, then if a user happens to find an older email and click the link, their token won't work.

UX的成本是,如果发送了新的确认电子邮件,那么如果用户碰巧找到旧电子邮件并单击该链接,则其令牌将无效。

What is the security vulnerability that Devise is avoiding with a one-way hashed token? What would be insecure about putting a plaintext token in the database? The only thing I can think of is if someone compromised the database they could then find the token and falsely confirm the email. But...

使用单向散列令牌,Devise正在避免哪些安全漏洞?将明文标记放入数据库会有什么不安全感?我唯一能想到的是,如果有人破坏了数据库,他们就可以找到令牌并错误地确认电子邮件。但...

  1. if someone has compromised the database, I think there are more serious problems to worry about at that point
  2. 如果有人破坏了数据库,我认为在那一点上需要担心更严重的问题

  3. all they can do is "falsely" confirm an email address they don't control. What's the benefit of this anyway? The more malicious thing to do is switch an account to use an email address that the attacker controls. But having a plaintext confirmation token wouldn't have anything to do with that.
  4. 他们所能做的就是“错误地”确认他们无法控制的电子邮件地址。无论如何,这有什么好处?更恶意的事情是切换帐户以使用攻击者控制的电子邮件地址。但是使用明文确认令牌与此无关。

So, what is the purpose of the encrypted token?

那么,加密令牌的目的是什么?

1 个解决方案

#1


0  

From the Devise 3.1 release announcement:

从Devise 3.1发布公告:

In previous versions, Devise stored the tokens for confirmation, reset password and unlock directly in the database. This meant that somebody with read access to the database could use such tokens to sign in as someone else by, for example, resetting their password.

在以前的版本中,Devise存储了令牌以进行确认,重置密码并直接在数据库中解锁。这意味着对数据库具有读访问权限的人可以使用此类令牌以其他人身份登录,例如重置密码。

In Devise 3.1, we store an encrypted token in the database and the actual token is sent only via e-mail to the user.

在Devise 3.1中,我们将加密的令牌存储在数据库中,并且实际令牌仅通过电子邮件发送给用户。

So that is, at least, the reason the Devise developers saw.

至少,这是Devise开发人员看到的原因。

Re your #1: Full database compromise isn’t necessary, just read access to that particular subset of data. This could be achieved via SQL injection, a malicious internal user with database access, or other means.

重新#1:不需要完全数据库妥协,只需读取对该特定数据子集的访问权限。这可以通过SQL注入,具有数据库访问权限的恶意内部用户或其他方式来实现。

Re your #2: I’m not entirely certain. Likely they wanted to maintain consistency across confirmation, reset, and unlock token storage.

你的#2:我不完全确定。他们可能希望在确认,重置和解锁令牌存储之间保持一致性。

#1


0  

From the Devise 3.1 release announcement:

从Devise 3.1发布公告:

In previous versions, Devise stored the tokens for confirmation, reset password and unlock directly in the database. This meant that somebody with read access to the database could use such tokens to sign in as someone else by, for example, resetting their password.

在以前的版本中,Devise存储了令牌以进行确认,重置密码并直接在数据库中解锁。这意味着对数据库具有读访问权限的人可以使用此类令牌以其他人身份登录,例如重置密码。

In Devise 3.1, we store an encrypted token in the database and the actual token is sent only via e-mail to the user.

在Devise 3.1中,我们将加密的令牌存储在数据库中,并且实际令牌仅通过电子邮件发送给用户。

So that is, at least, the reason the Devise developers saw.

至少,这是Devise开发人员看到的原因。

Re your #1: Full database compromise isn’t necessary, just read access to that particular subset of data. This could be achieved via SQL injection, a malicious internal user with database access, or other means.

重新#1:不需要完全数据库妥协,只需读取对该特定数据子集的访问权限。这可以通过SQL注入,具有数据库访问权限的恶意内部用户或其他方式来实现。

Re your #2: I’m not entirely certain. Likely they wanted to maintain consistency across confirmation, reset, and unlock token storage.

你的#2:我不完全确定。他们可能希望在确认,重置和解锁令牌存储之间保持一致性。