Possible security issue

[skcuslleb]

I have written an application using Sorcery authenticating through Google. Everything worked wonderfully, until I learned today that a former employee is still able to access our system even though his account password was changed ages ago.

I conducted a little experiment. I logged onto our system, then changed my password in Gmail... but I'm still able to access the application without updating my password? I'm not really understanding how this happening. When we call to Google for authentication shouldn't it respond by making us enter our new password?

[joshbuker]

For whoever looks at this, it sounds like an issue with oauth being cached either by sorcery or by google itself. IIRC, sorcery is only looking at the response from google, so if google doesn't realize a user changed their password and reset all their auth cookies, a user would be able to still login using the information from the last time they logged in. If sorcery uses similar cookies, that could also be the point of failure.

[Ch4s3]

@athix any thoughts on reproducing/checking this?

[joshbuker]

@Ch4s3, I'm not sure if I'll have time to try this myself, but here's what I'd do to try and replicate:

1. Setup simple test app using Sorcery, and a google account to use for authentication.
2. Create account on test app using google credentials.
3. Verify the account works by logging in and back out at least 3 times. (Preferably each time on a different browser, perhaps chrome safari and firefox)
4. Go to your google account and change your password.
5. Attempt to log into test app. It should fail. If not, investigate console log.
   • Make sure to use a browser that you already logged into before with, if that succeeds then try a different browser, or incognito mode. (If it fails on another browser, then it's definitely a caching issue)