Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When requesting a password reset, the email content is out of date #13520

Closed
mattab opened this issue Oct 2, 2018 · 4 comments
Closed

When requesting a password reset, the email content is out of date #13520

mattab opened this issue Oct 2, 2018 · 4 comments
Assignees
@diosmosis
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Milestone
3.6.1

Comments

@mattab
Copy link
Member

mattab commented Oct 2, 2018

When requesting a password reset, the email content is out of date

Current email

Hi USERNAME,

A password reset request was received from A.B.C.D. To confirm this password change so you can login with your new credentials, visit the following link:

https://demo.matomo.org/index.php?module=Login&action=confirmResetPassword&login=root&resetToken=xxxxxxx

Attention: Changing the password will also change your token_auth. You can look up your new token_auth on your settings page.

If you are using your API token_auth in any external applications or for archiving, make sure to update the token_auth as requests to the API will fail otherwise.

Note: this link will expire in 24 hours.

And thank you for using Matomo!

Changes to make:

  • Remove the 2 sentences saying the token_auth changes when you reset password. Since a few versions ago, we have de-coupled password and token_auth and now changing password does not change token anymore.

  • Do not make the link clickable. it is too easy to fall in a trap of an attacker requesting a password reset, and one opening the email and clicking on the link by mistake / habit of trusting all emails from Matomo. Requesting a password reset is one of the most critical things and it's important to make sure people understand what they're doing (and can't be easily tricked).

  • Update the text from "visit the following link" to "please copy and paste the following link in your browser:"
@mattab mattab added the c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. label Oct 2, 2018
@mattab mattab added this to the 3.6.1 milestone Oct 2, 2018
@diosmosis
Copy link
Member

Note: the link is not clickable by default, clients like gmail parses it and make it clickable.

@diosmosis diosmosis mentioned this issue Oct 4, 2018
Merged
1 task
@diosmosis diosmosis self-assigned this Oct 4, 2018
@mattab
Copy link
Member Author

mattab commented Oct 11, 2018
edited

Note: the link is not clickable by default, clients like gmail parses it and make it clickable.

Oh interesting, is there maybe a way to disable this feature somehow? @diosmosis

Edit: maybe once we have HTML emails then it's possible 👍

@diosmosis
Copy link
Member

I tested removing the protocol and that was enough to make it not clickable. We'd have to display a link like: www.blahblahmatomo.org/index.php?... instead of https://www.blahblahmatomo.org/index.php?....

@mattab
Copy link
Member Author

mattab commented Oct 11, 2018

Ok, let's leave it clickable for now, and once we move to have all-HTML emails we can make the link not clickable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@diosmosis diosmosis

Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Projects
None yet
Milestone
3.6.1
Development

No branches or pull requests
2 participants
@diosmosis @mattab