[savannah-help-public] [sr #109310] Loophole Creating Account

Discussion:

anonymous

2017-05-11 06:05:11 UTC

URL:
<http://savannah.gnu.org/support/?109310>

Summary: Loophole Creating Account
Project: Savannah Administration
Submitted by: None
Submitted on: Thu 11 May 2017 06:05:09 AM UTC
Category: None
Priority: 5 - Normal
Severity: 4 - Important
Status: None
Assigned to: None
Originator Email: ***@gmail.com
Operating System: None
Open/Closed: Open
Discussion Lock: Any

_______________________________________________________

Details:

I cannot login with my user name (important name for me).
I used my "Lastpass" program to generate the initial password while creating
the account. I depended on Lastpass to create a login entry in its database
or at least remember the generated password but it did not this time.

So after I verified, via the emailed link, I went to do the "Forgot Password"
process. This is possible on every other account authorization scheme I have
ever seen. "Savannah" will not allow me to reset the password for this
account because it is "pending". I also cannot start over and create a new
account with my login name since it is already there.

I am in limbo. I have an account that I forgot the password to and I am
permanently locked out.

Why does the login process lock me out of being able to reset the password? I
never heard of that before. What is this extra validation protecting
against?

Why am I not able to create an new account over the old one ESPECIALLY when
using the same username AND email address?

Rick Johnson
631-921-8450 (mobile)

_______________________________________________________

Reply to this item at:

<http://savannah.gnu.org/support/?109310>

_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/

Bob Proulx

2017-05-12 10:12:42 UTC

Permalink

Update of sr #109310 (project administration):

Status: None => Need Info
Assigned to: None => rwp

_______________________________________________________

Follow-up Comment #1:

I have manually activated your account. The account is active. Which means
that you should be able to log in using the password you set previously. If
not then you should be able to trigger the lost password recovery process.

There is definitely some bad interaction with Lastpass. Yours is an
additional report of a problem when using Lastpass. At the moment we don't
know what the bad interaction is however. I believe Lastpass should work okay
with the Savannah site because Savannah's login forms are very old-school and
should be okay to use with Lastpass.

Accounts are "PENDING" until the email address has been confirmed. But this is
a little bit of a circular dependency for triggering the lost password
recovery routine since that part will only recognize "ACTIVE" accounts. Since
it is pending it just isn't active.

One can't create an additional account on top of an existing account. There
isn't any code to handle that case.

In any case your account is now activated. You should be able to log in now.
Please let us know if you are now able to login. I think you should be able
to do so. If you need to trigger the password recovery please let us know
that too. I will leave the ticket open hoping to hear back from you on your
login success.

_______________________________________________________

Reply to this item at:

<http://savannah.gnu.org/support/?109310>

_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/

Bob Proulx

2018-04-09 19:30:36 UTC

Permalink

Update of sr #109310 (project administration):

Open/Closed: Open => Closed

_______________________________________________________

Follow-up Comment #2:

It's been a year and haven't heard back. Closing this ticket.

_______________________________________________________

Reply to this item at:

<http://savannah.gnu.org/support/?109310>

_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/

Rick Johnson

2018-04-10 01:58:59 UTC

Permalink

Follow-up Comment #3, sr #109310 (project administration):

Hi Bob, or TWIMC

This is definitely NOT "some bad interaction with Lastpass". I only mentioned
LastPass to indicate that I had certainly gotten my username and password
correct.

I am guilty for missing the idea of an email verification or forgetting about
it after the email took too long and I moved on with my life. I also managed
to archive the verification email.
The "INVALID.NOREPLY" sender didn't encourage me to pay attention to the
verification email.

I was correct in wanting my ONE username, as this site has significant
discussion activity.

My (mis)use-case is valid.
The site should NOT put a new account username/password into a PENDING
purgatory. I suggest the login rejection of an attempt that actually has the
right credentials include the message that reminds about the email
verification, for instance, "Perhaps you have missed the emailed verification
link?".

Also, consider the case where the initial attempt is sent to you with a typo
in their email. Is that covered?

And the database of PENDING credentials should time out and be purged at some
point... a day, a month, or the minimum delay consistent with your defense
against bots.

Rick Johnson -- RickJohn57
631-921-8450 (mobile)

_______________________________________________________

Reply to this item at:

<http://savannah.gnu.org/support/?109310>

_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/

Bob Proulx

2018-04-10 04:15:09 UTC

Permalink

Follow-up Comment #4, sr #109310 (project administration):

Yours was not the only Lastpass user that reported problems. There were
several all at one time. Seemed suspicious.

The design is that pending accounts should be deleted after 36 hours or 3 days
or some similar time that I don't recall at this moment. But in theory
pending accounts that are not activated within that time are discarded and
then allowed to be registered new again. At that time a new email is sent
out. Something does appear to be broken there however.

The web interface has been running on inertia for a while. It could
definitely use some help from someone who enjoys dealing with old PHP code.
As with many projects like this I will say, patches welcome!

_______________________________________________________

Reply to this item at:

<http://savannah.gnu.org/support/?109310>

_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/

Rick Johnson

2018-04-15 01:04:10 UTC

Permalink

Okay, as long as you know and it gets logged as an issue.
It creates customer pain. Some ask for help sooner than others.
We who are caught in the loop are few, so not much of a problem for you, I
guess.
Many are probably okay with using different usernames.

Maybe Lastpass causes a pattern of use that enables the problem.

Just tryin' to help.
Rick

Post by Bob Proulx
Yours was not the only Lastpass user that reported problems. There were
several all at one time. Seemed suspicious.
The design is that pending accounts should be deleted after 36 hours or 3 days
or some similar time that I don't recall at this moment. But in theory
pending accounts that are not activated within that time are discarded and
then allowed to be registered new again. At that time a new email is sent
out. Something does appear to be broken there however.
The web interface has been running on inertia for a while. It could
definitely use some help from someone who enjoys dealing with old PHP code.
As with many projects like this I will say, patches welcome!
_______________________________________________________
<http://savannah.gnu.org/support/?109310>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
--

Rick Johnson
631-921-8450

Bob Proulx

2018-04-15 03:39:39 UTC

Permalink

Hi Rick,

I chafe at the use of the word customer since it is a community
resource. We are all in this together. It isn't a customer
relationship.

You may be thinking that I am somehow the developer of the web
interface. I am not. I have only poked my nose into it on a few
occasions. I'm primarily working on the mailing lists and the
hosting. The web UI could definitely use some help. Are you
interested in contributing to it?

Many are probably okay with using different usernames.

That's a poor workaround. Anyone who has problems should contact us
for assistance. It isn't difficult to push things along.

Maybe Lastpass causes a pattern of use that enables the problem.

It's possible. Especially since we had a number of complaints from
LastPass users all at once. Seemed more than a normal amount. And
haven't heard any problems from then since. Since the web UI hasn't
changed it was possible that it was the password manager.

Note that I think random passwords are the best security. I am not a
user of LastPass myself but they seem reasonable. And in general I
encourage the use of password managers. I would definitely like the
web UI to work well with password managers.

Just tryin' to help.

Sure. Patches welcome. There hasn't been too much development done
on the web site UI for some time.

Bob

Rick Johnson

2018-04-16 00:47:21 UTC

Permalink

Sorry about the "customer" idea.
I really have not engaged enough to know better.

Post by Bob Proulx
Hi Rick,

I chafe at the use of the word customer since it is a community
resource. We are all in this together. It isn't a customer
relationship.
You may be thinking that I am somehow the developer of the web
interface. I am not. I have only poked my nose into it on a few
occasions. I'm primarily working on the mailing lists and the
hosting. The web UI could definitely use some help. Are you
interested in contributing to it?

Many are probably okay with using different usernames.

That's a poor workaround. Anyone who has problems should contact us
for assistance. It isn't difficult to push things along.

Maybe Lastpass causes a pattern of use that enables the problem.

It's possible. Especially since we had a number of complaints from
LastPass users all at once. Seemed more than a normal amount. And
haven't heard any problems from then since. Since the web UI hasn't
changed it was possible that it was the password manager.
Note that I think random passwords are the best security. I am not a
user of LastPass myself but they seem reasonable. And in general I
encourage the use of password managers. I would definitely like the
web UI to work well with password managers.

Just tryin' to help.

Sure. Patches welcome. There hasn't been too much development done
on the web site UI for some time.
Bob

--
Rick Johnson
631-921-8450

Ineiev

2018-04-16 07:41:36 UTC

Permalink

Post by Rick Johnson
The "INVALID.NOREPLY" sender didn't encourage me to pay attention to the

verification email.

We could warn new users about it and tell them what the email is going to look
like. Do you think that would help?

_______________________________________________________

Reply to this item at:

<http://savannah.gnu.org/support/?109310>

_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/

Rick Johnson

2018-04-16 08:23:27 UTC

Permalink

Yes, certainly a little more alert about the email would help. I cannot
remember why I didn't attend to mine.

Another idea would be to add a little note with the Login invalid error
message, like
"(You can reset your password if you validated your email)".

Rick

Post by Rick Johnson

Post by Rick Johnson
The "INVALID.NOREPLY" sender didn't encourage me to pay attention to the

verification email.
We could warn new users about it and tell them what the email is going to look
like. Do you think that would help?
_______________________________________________________
<http://savannah.gnu.org/support/?109310>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
--

Rick Johnson
631-921-8450

Ineiev

2018-04-22 12:30:53 UTC

Permalink

Update of sr #109310 (project administration):

Status: Need Info => Done

_______________________________________________________

Follow-up Comment #6:

I've just pushed and installed a commit explaining what the confirmation email
looks like and where it comes from.

_______________________________________________________

Reply to this item at:

<http://savannah.gnu.org/support/?109310>

_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/

Continue reading on narkive:

Search results for '[savannah-help-public] [sr #109310] Loophole Creating Account' (Questions and Answers)

replies

Is religion the ultimate loophole to hide behind?

started 2011-12-13 17:43:05 UTC

religion & spirituality

replies

Is this idea smart, or is it illegal, or maybe both?

started 2007-10-25 21:17:26 UTC

security

replies

My Real-life Paradox. What would you do?