We studied this case to figure out if there’s anything more Discourse can do to keep admins safe:
Still, we believe strongly in being safe by default at Discourse, and we think there is more we can do after closely analyzing this story. As a result, we just implemented a change 4 such that nobody, not even an admin, can modify that particular email template. We believe it is a rare case, but worth addressing, because:
this particular email template is only ever sent to staff on email change, as both the old and new email addresses must be confirmed. For a regular user only the new email address needs to be confirmed. So changing this template for cosmetic design reasons would only be seen by staff, never by regular users, and is thus unimportant.
the risk of allowing admins to change this template is too high, as illustrated by the above REAL WORLD story which actually happened, and was the critical step that allowed the attacker access to the complete Discourse database.
Also, before commenting on this story, a few other things you should know:
Enabling 2FA (two factor auth) in Discourse logins automatically disables all social logins.
It is definitely possible to have 2FA login enabled through Google, Github, and other social logins, but I’m not aware of any way Discourse could enforce that, or know about it.
We don’t yet have the ability to print paper backup codes for Discourse 2FA but that is slated for 2.1.
it’s worth thinking about what one logged-in admin can do to another admin’s account. Email changes through the web UI, for example, have to be verified on both new and old email addresses no matter who initiates the email change, so that is safe. Demoting a user from admin to regular user is a potential workaround – but granting admin to another account requires email confirmation via the current admin email address. Gotcha!
You’re welcome to join the discussion over on our Meta forum.