Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password reset can expose emails #62

Open
Thiritin opened this issue Feb 28, 2023 · 0 comments
Open

Password reset can expose emails #62

Thiritin opened this issue Feb 28, 2023 · 0 comments

Comments

@Thiritin
Copy link
Owner

Imported from OTRS.

Reporter wrote:

a captcha/bot protection and maybe an ever increasing cool-down for repeated lookups seem like a good measure.
I still think that it would be safer to not give feedback if the entered mail was valid but I can also clearly see the usability impact of it. its a compromise/decision.
The only thing i could think of right now would be to have the feedback be in a non-machine readable format like an embedded icon/picture. But that would only help against bot/machine attacks and even then image recognition and OCR exist.
There is no way to protect against manual spearfishing attacks while having a feedback to the user.

Tin wrote:

we take any kind of security and privacy report very seriously. I have spoken with my team, and we're able to replicate the potential problem. We also noted the behavior applying to the registration page. It is not possible to register with the same email twice, this information is also exposed on the registration endpoint. The idea I had to fix this problem was enabling a captcha and rate limiting to prevent attackers to lookup databases of emails. We also looked at other platforms and found that both furbase and Google do expose this information as well on their registration forms.

Due to the hen and egg problem, we cannot hide this information from the user and at the same time provide them a good usability of the site. We could hide this information from the user in the reg as well, but this would leave them hanging, also other behavior like trying to send a password reset mail if the user does not exist has security implications.

I am open to Ideas of how we can solve this problem in a way where it limits access to this data with at best no negative or little/reasonable implications to usability.

[...]

Reporter wrote:

Hello Webteam,
when reseting your password the site will tell you if that email is registered or
not on here. This is a potential security and privacy problem that should be
avoided. While this information can be helpful for users it can also be very
helpful for malicious actors.

Best Regards!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Thiritin