Solved

Security Flaw: Forgot Password Mechanism Can Circumvent Verification

We have a private customer support portal, available only to "Verified" customers.

To make that work, Freshdesk recommended that we could simply turn off the Email Notification - User Activation Email and verify customers manually. 

This does prevent a person who's emailed in an issue from automatically getting an activation email. 

When a user visits the portal url they are asked to log in. As they've not been verified, they cannot. So far, so good.

But unfortunately, if they click on the "forgot your password?" link, they are prompted to enter their email address and are sent a link to set a new password. 

Once they do this they are verified.

Major fail.


For this mechanism to work:


The forgot password process should check first to see if the user is verified. 

If they are not verified:
- If the User Activation Email is enabled: it should be resent with a new timed link. 

- If the User Activation Email is not enabled: the user should be sent a message, configurable by a Freshdesk administrator, informing them of what will happen.


If they are verified:

- The password reset should be processed.


Thanks!


9 people have this problem

Having a way to reset passwords from our end would be extremely helpful, both for this issue and in general.  

I'll point out that this process has become much more complicated now that Freshdesk has enabled multiple email addresses per account. Before you could unverify an account by changing the (only) email address a contact had to be one that had never been used before. You could then re-send the activation email to the user. That process no longer works as of a couple of weeks ago.

We need a way to better lock-down access so that a user can not verify themselves and have agents be able to send password resets to the customers.

 

This has been an issue for over 2 years now and this post about it is over a year old. How long will you wait before addressing such a serious security issue?? 

I'm sad, really sad

Hello everyone, 


Firstly, we apologise for the delay in getting this issue fixed. We understand that this should have been sorted out way back and being long pending for about 2 years is definitely not a good thing. 


We recently rolled out the Password Policy enforcement and with that we are getting all other breakages and security glitches fixed as well. So yes, we have the best hands working on super high priority to fix this issue as quickly as possible. 


We're positive that we will be rolling out the changes within 2 weeks from today. I request you all to kindly bear with us for a few more days and I promise that we wouldn't disappoint you anymore. 


Thank you all for being so very understanding and patient throughout. 


Have a good day.


Thanks,

Anna

Customer Success Manager

Freshdesk Inc. 



Hi Folks


This issue is now resolved. Thanks for being patient throughout.


Agents will continue to have access to the forgot password mechanism even if user activation emails are turned off and the agent is unverified. However, a contact will have access to the forgot password mechanism only if the contact is verified.


Please feel free to reach out for any clarifications or feedback.


Thanks

Saurabh

Product Manager

Freshdesk Inc.

Thanks this fix helps very much but I can't figure out how disable an existing and verified account.

If I change the password user can use the forgot password mechanism to circumvent my block. How can I change this?

We have a commercial product and our concerns with this problem is competitors being able to gain access by sending an email to support then using forgot password. WE are using Simple SSO from our application to login to Freshdesk. This is an obvious security hole. 


We can plug this hole somewhat because we are reviewing tickets. But if someone submits a ticket in the middle of the night by sending an email they can easily use forgot password and get away with whatever they like before we are aware of it.


Is there any work around to prevent this? For me, the easiest feature would be to have an option to disable forgot password for customers. This would be especially true if using SSO. If we aren't using FreshDesk passwords why would it ever be there?


Hi Alessio and Chris,


If you would like to prevent users being able to reset their passwords, You could edit the email notification for Password reset under Admin -> Email Notifications -> Requester Notifications and remove the password reset placeholder and put up a message to reach out to support for resetting the password. 


The agents can reset the password for the users manually when the customers reach out.


Having said this, The users will be able to reset their password only if they are verified users in your freshdesk account. Chris, This should solve your concern of new users submitting in the middle of the night. You could turn off "User activation email" under Email Notifications to avoid the user activating themselves. 


Please revert for clarifications. 


Regards,

Manoj.

So people can't change password by themself, right?

Sorry but a simple enable/disable for every user may be better, isn't it?

Has this been resolved?