Security breach in Discourse forum with SSO

We will also likely be adding email confirmation to backup downloads in 1.8 to verify the person downloading the backup controls the target account email as well, not just the password. This is a form of two-factor auth.

Email confirmation of backup downloads is now in, thanks to @blake. You can’t download backups simply by being logged in, you must…

  1. Be logged in as an admin → to get to /admin/backups
  2. Control the email address of an admin → to receive the download link email

So this is indeed a form of two factor auth. Verifies control of the email account, plus the ability to log in as the admin. Here’s the actual email the admin will receive when the download backup button is pressed; it warns about unknown attempts to download the site database:

Here’s the site backup download you requested.

We sent this download link to your validated email address for security reasons.

(If you didn’t request this download, you should be seriously concerned – someone has admin access to your site.)

Along with the major cookie token security database changes in 1.8, this should make it much harder to have a full DB breach out there, and once it is out there, the damage is considerably less.

14 Likes