gnuherds-app-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Hide email validation in "Lost password" page? -- Security bug


From: Antenore Gatta
Subject: Re: Hide email validation in "Lost password" page? -- Security bug
Date: Wed, 18 Apr 2007 17:00:50 +0200

Obviously I agree as well...

What about an additional step to check also the user ID?
I mean:

1. Generate a (random?) user ID for all the already registered users
(the same during registration).
2. Send the user ID by email.

When the user asks for the password reminder he must provide both
email and user ID.

This is to avoid brute force attack, i.e. the user johnHerds with
email address@hidden

The drawback is that we need also a user ID reminder.... But it's quite secure.

On 4/18/07, Davi Leal <address@hidden> wrote:
Victor Engmark wrote:
> I just tried the Lost password,
> and I think we shouldn't tell the user whether the email was found in
> the database, to avoid anyone checking up on emails they know. Two worst
> case scenarios are that our site can be used by spammers to verify addresses
> they've collected, and that an employer can check which employees are
> looking for new jobs. We could instead just show a message including the
> following information:
>
>    - The email should arrive shortly, IFF the email is found in our user
>    database.
>    - If you don't receive an email, please check the spelling and try
>    again.

I agree!. That can be considered a security bug about confidentiality.


> For users to be able to detect their error after the fact, we could let the
> email stay in the field after submission.

Good point.


> To stop pranksters and accidental double-clicks from annoying users, we
> could also add a restriction that no email will be sent if an email was sent
> to the same address less than X seconds / minutes before. We should probably
> change the message to reflect that, to avoid even a white lie (ref. "your
> email will arrive shortly").

This extra addition requires we create a new field at the E1_Entities
table to save the last lost-password-request time stamp. But with the
current data base model, we can only do it for the emails (entities) which
are already registered. So the spammers could note what email exists doing
several quick requests.

We could use a specific LO_LostPassword table to save both registered and
not registered email lost-password-request, but is it too much work
for such feature addition.

Abstract:
  I personally think this last extra addition is not needed.


> What do you think?

Please, add a savannah task. Of course, If you want, you can develop this
bug fix.

Davi


_______________________________________________
GnuHerds-app-dev mailing list
address@hidden
http://lists.nongnu.org/mailman/listinfo/gnuherds-app-dev





reply via email to

[Prev in Thread] Current Thread [Next in Thread]