[MUSIC] We're going to take a look at a more specific example of complete mediation, and how that can map into a specific application or an android app such as this one, of the log in activity that we've been looking at before. So in this example, we're continuing the login activity. We still have these three buttons for login and registering and getting a forgot password link. And what we're going to do is this time we're going to drill in on this idea of having forgotten the password. Now in order to collapse all of this and make it work, I've defined a LoginUtils class that has a couple of helper methods that we're going to be using to create our password reset action. The idea again, behind this is that we have a particular button on the application that allows you to click it and it will send a password reset email to your email account. And then from that email account, you can click on the password link, reset link and then reset your password. Now, I've gone back to the design of this that violated the economy of mechanism. We could have done it a lot of different ways. All of this would still apply, this issue with complete mediation and why it's so important. So let me walk you through the code that we're going to use in order to send the password reset email. And we'll see how we're violation complete mediation. Now when you see these examples I'm giving, often you have the feeling of, yeah, but it's so obvious in that case, that it was a bad idea. But unfortunately, many times the security vulnerabilities that we see. Even though we may look at something and say, well, this just doesn't look right at all, that's the way it was written. And often we ourselves make these types of mistakes. So it's helpful to see and talk through these examples, and also to be able to see a specific example of what these higher level concepts mean. So in this example, the way that we've implemented the reset password link is first we need to figure out what is the account that they're resetting the password for. So when somebody logs into the app the first time, the idea is that if you're log in to the app and you forgotten your password, you can just click this forgot password button. And it will generate an email that has a link in it that allows you to reset the password, and it will send it to the email of your choice. Now this is going to be a bad idea as we're going to see in a second. But the assumption in that the person is making this developer that's created this system is that if you're already logged into the app and you have access to it then you should be able to generate a password reset email and send it to someone. So the first thing we do in this code is we use our login utility to get our registered account ID on the device. So that means, who are we logged in as? What is our identifier? We're then going to look at the edit text that's displayed to collect the person's email when they log in. Except in this case, we're going to use that email address to send them the password reset link. And then what we're going to do is we're going to go and use our log-in utilities to create this reset e-mail and reset link. So we're going to create an e-mail that we can send them and if we can click on this link it will allow them to change their password and update it. So they can regain access to their account. And then finally we're going to send this password reset link email to the email address that they specified. Now if you've looked at this and you've done security before this just looks completely wrong to you, even if you haven't had an extensive background in security, this probably still looks wrong to you. And if it doesn't look wrong to you, even better because this is a great example of why mediation of access to objects matters. So let's first look at what are we accessing? Well we're accessing this user's account and we are getting a password reset link. So we're basically getting access to their account and a password reset link. Now are we mediating that access? So is there anything in here that's checking to see whether or not the user should be able to perform that action? Whether or not this code should be able to perform the action that it's about to take? And the answer is no. There's nothing in here that's checking to see, should this person or thing get access to that password reset link? And in particular, should we be sending that password link to this arbitrary email address that has been entered? And the answer is no. We're not checking that this email address should be able to receive the password links. So we're not mediating that access, that e-mail getting that link. We're not mediating this access to the account that's already been registered on the device. We're just looking up that account ID, and then we're sending off this email. So the way that this could be a vulnerability, now in most cases this isn't going to be a problem probably. So if somebody is already logged into the app and they're clicking the password reset link then they're going to type in their own email address that's a valid email address into that box. So most of the time, it's not a problem and it seems like it can do what it's intended to do. But the problem is let's say, for example, let's just start off with a benign example. Let's assume that the person has a typo in what they enter into this edit text. And so they get an email out that is not the email that is associated with this account. But because they are already logged in, we assume that it's okay to send that resend email through it. Well, if they have a typo in the email they entered in, you're going to send the password reset link to some arbitrary email address. Another example is let's say somebody leaves their phone unlocked on a table or they let their friend using to place a call. And that person opens up that app and decides, you know what, I want to get access to this person's account. Well they can go and click that password reset link right here and there's no challenge to them. There's no requirement that they do anything to prove that they should be able to send that password reset email. And they're not being challenged in some way to make sure that that email that it's getting sent to is something that's even associated with that account. So there's no mediation of this access. And so whenever you go and you do something to particularly data that's associated with the user or a system in some way where you're accessing some sort of critical functionality, in this example we're accessing this password reset link, which is a very sensitive thing, and we're sending it somewhere. All of these types of accesses always need to be mediated or checked. In this case, we're assuming because the person has already logged into the device that we don't have to mediate the access again. But that's not correct, even though somebody may be mediated we should really be checking each time that even though they've logged in previously we should really be checking each time for each of these accesses that it is a legitimate access in this case. And in this example, there's lots of ways this could go wrong, this sending of the password reset link. So it's really important that you mediate access to objects. Now this is one simple example, it can manifest itself in many different ways. We've manifested it in this login activity. But it manifests itself in an ordinate number of ways, and it's very important that you think through when you're accessing some data socially with a user. You're taking an action like sending a password reset link. Is the thing that's asking for it should have access and checking to make sure that it still has and should have access to that thing.
