Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upPassword reset allows enumeration of used email addresses #1515
Comments
wxcafe
added
bug
internationalization
priority - medium
security
labels
Apr 11, 2017
R0ckweb
referenced this issue
Apr 11, 2017
Merged
Avoid user enumeration with devise paranoid mode #1527
Gargron
closed this
in
#1527
Apr 11, 2017
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Dr-Syn
commented
Apr 11, 2017
|
Thank you very much! |
added a commit
that referenced
this issue
Apr 11, 2017
pushed a commit
to ericblade/mastodon
that referenced
this issue
Apr 11, 2017
added a commit
to mbilokonsky/mastodon
that referenced
this issue
Apr 11, 2017
pushed a commit
to Nyoho/mastodon
that referenced
this issue
Apr 25, 2017
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
gandaro
Sep 30, 2017
Contributor
You can also insert the email address in question into the registration form, and you will be told whether it is already taken.
From what I take from devise.en.yml, you can also use the “unlock account” form to find out which email addresses are taken on a server. See the “send me a confirmation email” form as well.
|
You can also insert the email address in question into the registration form, and you will be told whether it is already taken. From what I take from devise.en.yml, you can also use the “unlock account” form to find out which email addresses are taken on a server. See the “send me a confirmation email” form as well. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
gandaro
Sep 30, 2017
Contributor
And an attacker can just set the preferred language (HTTP Accept-Language) to German, for instance, and then you can still use the “forgot password” form. Because the German translation still differentiates between the “paranoid” and the “non-paranoid” string.
gandaro
commented
Sep 30, 2017
•
edited
Edited 1 time
-
gandaro
edited Sep 30, 2017 (most recent)
edited
-
Sep 30, 2017 (most recent)
|
And an attacker can just set the preferred language (HTTP |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
|
Please re-open. |
Dr-Syn commentedApr 11, 2017
When in the password reset dialogue, entering an email address that is not in the database of users' passwords results in a specific error stating that the address has not been found.
This allows for enumeration of what emails are in-use by the users on a given instance, which could conceivably be leveraged to, e.g., determine which emails in a db dump located elsewhere are in-use by the users of a given instance, to take advantage of credential reuse or the like.
The best-practice behavior from a security POV would be to respond with something along the lines of
regardless of whether the email address is present or not; this would nullify this kind of attack.
( Yes - I am aware that credential reuse is frowned upon; I'm also aware that it happens constantly and it's better to mitigate it when possible than to add to the endless lectures that regular users ignore. )