Make WordPress Core

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#40667 closed enhancement (invalid)

Password reset screen allows validity (or otherwise) of the provided email

Reported by: dartiss's profile dartiss Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: administration Cc:

Description

When clicking on 'Lost your password' during login, you are then prompted to enter a user name or email address. Entering one that is invalid will produce the messages...

ERROR: Invalid username or email.

or

ERROR: There is no user registered with that email address.

Depending on whether a user name or password, respectively, was provided.

An attacker could use this information to fish for user name or emails. This has been quite normal for sites in the past to do but more and more now give a generic 'if that information is valid, we'll send you a password reset email' instead. For the purposes of heightened security, I believe this should be implemented.

I have looked for duplicates of this already recorded on Trac and haven't found anything - apologies if this is not the case.

Attachments (1)

Screen Shot 2017-05-04 at 16.43.27.png (123.7 KB) - added by dartiss 7 years ago.
Screenshot of invalid email being used during password reset

Download all attachments as: .zip

Change History (3)

@dartiss
7 years ago

Screenshot of invalid email being used during password reset

#1 @iandunn
7 years ago

  • Resolution set to invalid
  • Status changed from new to closed

Hi, this is a known issue, and we don't consider usernames (and by extension, the existence of accounts) to be private. A similar thing can be achieved just by browsing the /author/{slug} views.

Please don't ignore the warning that Trac displays when creating security tickets. If you believe you've found a vulnerable, please disclose it to us privately, via HackerOne.

#2 @swissspidy
7 years ago

  • Milestone Awaiting Review deleted
  • Version trunk deleted

Previously: #12129.

Note: See TracTickets for help on using tickets.