Bug 197 - Any account can be easily sabotaged
Summary: Any account can be easily sabotaged
Status: CONFIRMED
Alias: None
Product: Lab Report Repository (nor houzi)
Classification: Unclassified
Component: Password resetting (show other bugs)
Version: unspecified
Hardware: PC Windows
: --- critical
Assignee: Mohamed Nor Abdullahi
URL:
Depends on:
Blocks:
 
Reported: 2020-12-18 18:02 CST by IBRAHIM MOHAMED IBRAHIM ISMAIL
Modified: 2020-12-18 18:02 CST (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description IBRAHIM MOHAMED IBRAHIM ISMAIL 2020-12-18 18:02:31 CST 
Overview:

This might be the most critical bug ever produced in LRR.

If this bug to happen actually in a commercial software, it would cause the business millions if not billions of dollars.
And that system would get shutdown immediately.

I'm not sure whether I can call this a bug or a security flaw/breach.

The problem as the title suggests, anyone in anytime can sabotage any account in LRR as long as they can provide the target's email and student ID.

Steps to reproduce:

1) Click on "Reset my password" under "Login" button in LRR's homepage.
2) Enter the targeted student's email and ID.
3) Click "Recover".
4) You will see a password reset successfully message, and it will ask you to go Sign up again.
5) On the homepage, enter the target student ID in the signup form, and click "Next".
6) Enter the target new information which includes his new password.
7) Congrats you just have hacked someone.

Expected result:

The target should receive an email message with a link to reset his password by himself.

Actual result:

The target's account has been sabotaged.

Additional information:

I couldn't find the right term for this bug on the severity list, so I would like to propose a new exclusive term: "Disaster"
Note You need to log in before you can comment on or make changes to this bug.