Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
3.1.0-RC5
-
None
Description
This is very theoretical but I think you'll agree with the conclusion I make.
The "Manage “Remember Me” login keys" section in the UCP lists the current users login keys, currently this displays the ID (the login key), last IP and last use time.
The login key is an MD5 hash of the cookie stored in the users browser, a theoretical XSS attack against phpBB could allow an attacker to steal the login keys for a user. Alternatively a user could inadvertently publish the login keys without realising the consequences.
An attacker after stealing the login keys can brute force the MD5 hash, given a single GPU this is possible in < 30 years. Applying parallel processing this time could be reduced to under a month (less than the default validity period.)
Given the login key is useless to the user, I don't see a valid use case to reveal it and possibly allowing it to be collected by an attacker. A savvy user could compare the cookies and login keys to work out which browser is which in their list. To aid usability the current login key should be highlighted somehow within the list.