Skip to content

iSEC #7 Password Not Required for Sensitive Actions

Not sure if we want to fix this. any fix would be cosmetic. an attacker could bypass by editing the js on the page. (because SRP has no atomic update password with included proof of last password)

azul> SRP does not. But the webapp could only process requests that submit a new password while sending a valid signup with the old one. It's a mess but i am pretty sure it would work.

(from redmine: created on 2013-09-03)

  • Relations: