Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
security issues related to multiple account sharing
51 views
Skip to first unread message
hus...@gmail.com
Jan 18, 2014, 10:51:27 AM1/18/14
to
Persona has a feature in which when user logins with multiple accounts they join in one persona account. This is nice that by logging into one persona account you login to other accounts too.
But, that has created a major security issue for us. Let me give you an example. We have users using our system in shared office, each of them they have their persona logins. They often share each others PCs and it happens that by logging in on one machine they also merge previous user's persona account (who logged in to our system on that machine) to theirs.
Then
1) they can login as that user, which is major security issue
2) that user whose account was "stolen" can't use his account anymore, as password changes to that of the other user
We currently do local persona logout, when it just logs out of our system. BGut it doesn't log out of persona and users don't know that. As far as they concerned they logged out from the system.
We could fix this probably, by doing global persona logout in our system. But from what i read in persona's website this is not recommended.
So what is recommended then?
This is becoming a major headache for us. I will appreciate any advice.
Thanks,
HG
But, that has created a major security issue for us. Let me give you an example. We have users using our system in shared office, each of them they have their persona logins. They often share each others PCs and it happens that by logging in on one machine they also merge previous user's persona account (who logged in to our system on that machine) to theirs.
Then
1) they can login as that user, which is major security issue
2) that user whose account was "stolen" can't use his account anymore, as password changes to that of the other user
We currently do local persona logout, when it just logs out of our system. BGut it doesn't log out of persona and users don't know that. As far as they concerned they logged out from the system.
We could fix this probably, by doing global persona logout in our system. But from what i read in persona's website this is not recommended.
So what is recommended then?
This is becoming a major headache for us. I will appreciate any advice.
Thanks,
HG
hus...@gmail.com
Jan 18, 2014, 11:10:28 AM1/18/14
to
I found related issue here(https://groups.google.com/forum/?fromgroups#!searchin/mozilla.dev.identity/signout/mozilla.dev.identity/x7YdVKpCCVs/FX2n8oGY7S4J), which was reported in 2012 and because of which that company stopped using persona.
I wonder if anything has changed since then?
I wonder if anything has changed since then?
Dirkjan Ochtman
Jan 18, 2014, 11:31:05 AM1/18/14
to hus...@gmail.com, dev-id...@lists.mozilla.org
The sharing of accounts on the Persona shim is a weird design issue,
and will probably be phased out at some point.
Cheers,
Dirkjan
and will probably be phased out at some point.
Cheers,
Dirkjan
Huseyn Guliyev
Jan 18, 2014, 11:38:37 AM1/18/14
to
What can be done meanwhile then?
Francois Marier
Jan 19, 2014, 7:26:27 PM1/19/14
to
On 19/01/14 05:31, Dirkjan Ochtman wrote:
> The sharing of accounts on the Persona shim is a weird design issue,
> and will probably be phased out at some point.
We are seriously thinking about eliminating these "server-side" accounts
> The sharing of accounts on the Persona shim is a weird design issue,
> and will probably be phased out at some point.
in order to separate the JavaScript shim from the fallback IdP.
In that case, your email addresses would all be stored in your browser
as you add them but they would not be carried over to a new browser as a
single unit. Also, each email address could have a different password.
Francois
Francois Marier
Jan 19, 2014, 7:30:40 PM1/19/14
to
On 19/01/14 04:51, hus...@gmail.com wrote:
> We could fix this probably, by doing global persona logout in our system. But from what i read in persona's website this is not recommended.
I don't think it's currently possible to do that because in order to log
> We could fix this probably, by doing global persona logout in our system. But from what i read in persona's website this is not recommended.
a user out of the fallback IdP (login.persona.org), you need to POST a
CSRF token to login.persona.org/wsapi/logout.
> So what is recommended then?
and mixing their sessions together, I think the best option would be to
tell them to open a new private browsing / incognito window whenever
they want to use your site and then close it when they're done. That
will clear the cookies and the certificates in localstorage.
Francois
Huseyn Guliyev
Jan 19, 2014, 11:21:30 PM1/19/14
to
Thanks Francois,
FYI our users manage to create mess even in incognito windows.
This is a major security problem with Persona we have encountered.
What would be the timeline for fix. I am seriously considering migrating from Persona.
Francois Marier
Jan 23, 2014, 5:33:26 AM1/23/14
to
On 20/01/14 17:21, Huseyn Guliyev wrote:
> Thanks Francois,
>
> FYI our users manage to create mess even in incognito windows.
> This is a major security problem with Persona we have encountered.
>
> What would be the timeline for fix. I am seriously considering migrating from Persona.
I've created this bug to track the fix for this:
> Thanks Francois,
>
> FYI our users manage to create mess even in incognito windows.
> This is a major security problem with Persona we have encountered.
>
> What would be the timeline for fix. I am seriously considering migrating from Persona.
https://github.com/mozilla/persona/issues/4079
Francois
0 new messages