Reset another users password with the help of the "Forgotten Password" function

Hello there,

we found a critical issue in SSPR v4.7.0.0 b25 r23613f36 (IDM 4.8.7). It's possible to reset another users password with the help of the "Forgotten Password" function.

SSPR Forgotten Password Configuration:

  • Search Form: CN
  • Search Filter: (&(objectClass=person)(cn=%cn%)(homeEmailAddress=*))
  • Method: "Email-Token Verification" Required

Steps to recreate:

1. In OSP Click on "Forgotten Password?" or open <USERAPPURL>/sspr/public/ForgottenPassword
2. Enter Username-A, click "Search"
3. Click "Continue" on Message "To verify your identity, a security code will be sent to you at k****@c**********.de."

An E-Mail is being sent with Link and Token

4. On the Confirmation Page with the Code Input Field now click on "Cancel"
5. Again in OSP Click on "Forgotten Password?" or open <USERAPPURL>/sspr/public/ForgottenPassword
6. Now enter Username-B, click "Search"
7. Instead of clicking on "Continue" now open the Link from the E-Mail for Username-A
8. The Page shows "Thank You! Your security code sent to k****@c**********.de has been verified."
9. If you now click on "Continue" you get the Change Password site for Username-B (shown in the upper left corner)

Result: Any user can change the password for an user account which he doesn't own.

It seems, that the Email Token is bound only to the Browser-Session and not to the Username. Problem is too, that the call of Email-Link doesn't reset the Browser-Session (Tested on Firefox 127.0.2)

This is a huge security issue.

Can anybody recreate this behaviour and has an idea how to hotfix this? I already opened up a case on the Support Portal.

Regards
Daniel Klotz