Password reset security issue


#1

Hi there,

I stumbled back upon this website after last using it in 2013, really liked the upgrade you guys gave it.

Now, the first thing I did was reset my password, but I couldn’t help but notice that when I entered my e-mail address I got the message: “We found your email”, so I tried a fake email, and got the message: “No account matches xxx@xxx.xxx”, this is a potential risk to the website as it is very easy for me to simply run a database of e-mail addresses / usernames on this screen and simply see who is using this website and who isn’t and target them directly.

I would advise you to change the 2 different messages to 1 generic message along the lines of:
“If there was an account associated with , you will receive an email within the next 24 hours.”

I do hope this will be taken into consideration.


#2

Don’t know enough about this software, but the old you could search users. I don’t see how knowing that a person uses a site is a security risk. Could you enlighten me?


#3

Good point. This could lead to issues with phishing.

I’ve changed it to show the same message regardless of the email being in the db:

If an account matches %{email}, you should receive an email with instructions on how to reset your password shortly.


#4

@astonecipher exactly as @John said, main concern was phishing, and in general, the less information you’re giving away, the more secure the platform.

& @John thanks for the quick response and change!