Via Twitter
Authors consider SQLi as main attack vector. Hashed token mitigate r/o SQLi, encrypted mitigate r/w SQLi
That actually doesn't buy you anything. Consider the following table schema:
CREATE TABLE reset_tokens (
tokenid BIGSERIAL PRIMARY KEY,
selector TEXT,
verifier TEXT,
user BIGINT REFERENCES users (userid),
expires TIMESTAMP
);
We recommended hashing the verifier. You might think encryption would mitigate against read/write SQLi, but you can do this:
- Issue a reset for an unprivileged user.
UPDATE reset_tokens SET user = {$target} WHERE selector = {$knownToAttacker}
- Access the URL.
That works even if you can't just break out of the database, into the filesystem, and exfiltrate their encryption keys.
@paragonie-scott, may be not: verifier is know to attacker. so he can produce HMAC(message=victim-user-id, key=attacker-verifier), right?