View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000192 | Main CAcert Website | source code | public | 2006-04-04 01:40 | 2013-11-20 22:23 |
| Reporter | Assigned To | ||||
| Priority | none | Severity | major | Reproducibility | always |
| Status | closed | Resolution | open | ||
| Fixed in Version | 2006 | ||||
| Summary | 0000192: Identity Changes / Race Condition | ||||
| Description | This Bug was reported as Security Bug 0000007 on 06.07.2005 by Christoph Probst. This report is just to get it into the Mantis database. There is a race condition in the Assure Someone function which can be easily exploited on live assurances (as they are done on big events like CeBit or LinuxTag). It allows a user to get ANY identity assured. This makes the whole assurance process useless and consequently the whole verification system of CAcert. This applies to EVERY account, independent of whether the account has 0 assurance points or more. As all this affects the trust people put into CAcert I consider this to be a major security problem. If this happens in reality I'm sure that many people loose their trust in CAcert! | ||||
| Additional Information | The Problem =========== The exploit works as follows: 1. User A creates a CAcert account with his real identity 2. User A goes to the CAcert booth on any big event and to get his identity checked 3. The Super Assurer opens the "Assure someone" form and enters the users account address. 4. While the Super Assurer verifies the details displayed on the screen someone else can change the account details for User A. 6. The Super Assurer assigns points to the wrong identity. This is possible as the user is able to change his user details at all. As a SuperAssurance normally brings the user to over 100 points there is no need for any further id verification for this account. Additionally it is impossible to double check id the details afterwards as the amount of work is just to huge. This race condition works for any assurances, but especially on live assurances on big events it is easy to find out, when the assurer verifies the data on screen. Also getting 35 points by a normal assurances isn't worth anything at the moment. Getting to 150 points --------------------- Once a user reached more than 99 points he can get himself to 150 points by just assuring other people (25). These users may be fake account created for this purpose. Impact ====== Using the expoit it is theoretically possible and in my opinion easy to manage to receive 150 points for an unverified name. This must not be possible at all. Solution ======== The solution for the race condition is either to disallow identity changes at all or to freeze the identity before the user is issued his points. A workaround would be to issue 1 point first that freezes the id and then another somewhat 119 to bring the user to a total of 120. | ||||
| Tags | No tags attached. | ||||
| Reviewed by | |||||
| Test Instructions | |||||
| related to | 0000197 | closed | in simultaneous operation of assurer and applicant, changed deta can be confirmed |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2006-04-04 01:40 |
|
New Issue | |
| 2006-04-04 01:41 |
|
Status | new => closed |
| 2006-04-04 20:13 |
|
Relationship added | related to 0000197 |
| 2013-01-14 03:06 | Werner Dworak | Fixed in Version | => 2006 |
| 2013-11-20 22:23 | NEOatNHNG | View Status | private => public |
