Password change without identity check - Ruby

Password change without identity check - Ruby

Need

Enforce strong identity verification for password changes

Context

  • Usage of Ruby for building dynamic and object-oriented applications
  • Usage of Ruby on Rails for building web applications

Description

Non compliant code

        class UsersController < ApplicationController
  def update_password
    @user = User.find(params[:id])
    @user.password = params[:password]
    @user.save
    redirect_to @user
  end
end
        
        

This code is part of a controller for user accounts in a Ruby on Rails application. The update_password action is supposed to change the password of a user.

The vulnerability lies in the fact that the action does not check the identity of the user before changing the password. It simply finds the user based on the id passed in the params of the request, then changes the password to the new password also passed in the params.

This means that any user who knows the id of another user can change that user's password, without needing to know the previous password or pass any other form of identity verification. This can lead to unauthorized access to user accounts, data breaches, and other security issues.

The code needs to be updated to enforce identity verification before allowing a password change. This could involve requesting the current password and checking it matches before allowing a change, or implementing two-factor authentication.

Steps

  • Implement a proper identity verification mechanism before allowing password change.
  • Require the user to provide their current password as part of the password change process.
  • Verify the provided current password against the user's stored password before allowing the password change.
  • Consider implementing additional identity verification mechanisms such as email confirmation or two-factor authentication.
  • Ensure that the password change process is secure and protected against common attacks such as cross-site request forgery (CSRF).
  • Follow secure coding practices and guidelines when handling passwords, such as using strong hashing algorithms and salting the passwords.
  • Regularly update and patch the Ruby on Rails framework and any related libraries to ensure the latest security fixes are applied.

Compliant code

        class UsersController < ApplicationController
  before_action :correct_user, only: [:update_password]

  def update_password
    @user = User.find(params[:id])
    if @user.authenticate(params[:current_password])
      @user.password = params[:password]
      @user.save
      redirect_to @user
    else
      flash[:error] = "Incorrect current password"
      render :edit
    end
  end

  private

  def correct_user
    @user = User.find(params[:id])
    redirect_to(root_url) unless current_user?(@user)
  end

  def current_user?(user)
    user == current_user
  end
end
        
        

The updated code now includes a proper identity verification mechanism before allowing a password change. This is done by requiring the user to provide their current password as part of the password change process. The provided current password is then verified against the user's stored password before allowing the password change.

The before_action filter :correct_user is used to ensure that the user is logged in and is the correct user before they can access the update_password action. This is an additional security measure to prevent unauthorized users from changing another user's password.

The authenticate method is used to verify the provided current password against the user's stored password. If the authentication is successful, the password change is allowed. If not, an error message is displayed and the user is redirected back to the edit page.

This code also follows secure coding practices and guidelines when handling passwords, such as using strong hashing algorithms and salting the passwords. The Ruby on Rails framework and any related libraries should be regularly updated and patched to ensure the latest security fixes are applied.

Consider implementing additional identity verification mechanisms such as email confirmation or two-factor authentication for enhanced security. Also, ensure that the password change process is secure and protected against common attacks such as cross-site request forgery (CSRF).

References