

Persona Password Reset Phishing Flaw - jorangreef

I just tried to reset my Persona password and was surprised by the flow:<p>1. Persona asked me to choose a new password and confirm it, right then and there.<p>2. I received an email with this text "Forgot your password for Persona? It happens to the best of us. Click here to reset your password."<p>3. Clicking that link provided no further confirmation before changing my password.<p>Usually, a password reset link is sent by email, and the user then chooses a new password. This means that it's always the user who chooses the password. Users are conditioned to this. Even if somebody else generates a password reset email, the user can just ignore it, or even if they then decide they want to reset their password, they can follow the link and reset their password.<p>With Persona, however, someone else gets to choose the password. The user gets sent an email that looks no different from the usual password reset email. But if they just so much as click that link then someone else has changed their password. I can imagine some users might be surprised, trust Persona, and close the tab.
======
fmarier
Indeed, you're not the only one confused by this flow, which is why there's an
open bug for it: <https://github.com/mozilla/browserid/issues/1232>

------
callahad
Thanks for the feedback!

> 3\. Clicking that link provided no further confirmation before changing my
> password.

Try doing that from another browser :) Persona only skips confirmation if you
hit the reset link from the same browser that requested the reset.

Edit: More info at
[https://github.com/mozilla/browserid/issues/2499#issuecommen...](https://github.com/mozilla/browserid/issues/2499#issuecomment-8662390)

Which is really interesting, because Persona is doing the right thing, but
giving the impression of _not_ doing the right thing. Hm.

~~~
jorangreef
Thanks Dan.

