#40667 closed enhancement (invalid)
Password reset screen allows validity (or otherwise) of the provided email
Reported by: | dartiss | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Security | Keywords: | |
Focuses: | administration | Cc: |
Description
When clicking on 'Lost your password' during login, you are then prompted to enter a user name or email address. Entering one that is invalid will produce the messages...
ERROR: Invalid username or email.
or
ERROR: There is no user registered with that email address.
Depending on whether a user name or password, respectively, was provided.
An attacker could use this information to fish for user name or emails. This has been quite normal for sites in the past to do but more and more now give a generic 'if that information is valid, we'll send you a password reset email' instead. For the purposes of heightened security, I believe this should be implemented.
I have looked for duplicates of this already recorded on Trac and haven't found anything - apologies if this is not the case.
Attachments (1)
Change History (3)
#1
@
7 years ago
- Resolution set to invalid
- Status changed from new to closed
Hi, this is a known issue, and we don't consider usernames (and by extension, the existence of accounts) to be private. A similar thing can be achieved just by browsing the /author/{slug}
views.
Please don't ignore the warning that Trac displays when creating security tickets. If you believe you've found a vulnerable, please disclose it to us privately, via HackerOne.
Screenshot of invalid email being used during password reset