Defect #6254

Remove 'invalid user' notification on password request with invalid e-mailadress

Added by Aron Rotteveel over 12 years ago. Updated 3 months ago.

Status:NewStart date:2010-08-31
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Accounts / authentication
Target version:Unplanned backlogs
Resolution: Affected version:

Description

Currently, it is possible to retrieve valid e-mailaddreses from the system by simply trying to request a password for it. If the emailaddress is not valid, Redmine will show a notification stating this.

It would be better to have this form output a success message in every scenario in order to make e-mail harvesting harder.

6254.patch Magnifier (1.47 KB) Go MAEDA, 2022-07-21 11:49

Related issues

Duplicated by Redmine - Defect #25144: Account Harvesting login issue Closed
Duplicated by Redmine - Defect #37517: User disclosure vulnerability via "Forgot password" funct... Closed

History

#1 Updated by Go MAEDA almost 6 years ago

  • Duplicated by Defect #25144: Account Harvesting login issue added

#2 Updated by Go MAEDA almost 6 years ago

source:tags/3.3.2/config/locales/en.yml#L153:

  notice_account_unknown_email: Unknown user.

#3 Updated by Go MAEDA almost 6 years ago

Aron Rotteveel wrote:

It would be better to have this form output a success message in every scenario in order to make e-mail harvesting harder.

I completely agree. Redmine should always display notice_account_lost_email_sent ("An email with instructions to choose a new password has been sent to you.").

#4 Updated by j l 5 months ago

Hello,

I comment on this 12 years old defect because this is the only active one I found regarding this subject.
Is there a version in which this issue has been addressed, or a workaround ?

Thanks.
Regards,
JL

#5 Updated by Go MAEDA 5 months ago

The attached patch changes the message when the entered email address is invalid as follows. Comments are welcome.

Before: "Invalid user"
After: "An email with instructions to choose a new password has been sent to you"

#6 Updated by j l 4 months ago

This patch should indeed do the trick, thanks !

I would even suggest updating the message to more accurately reflect the reality. Something like "An email with instructions to choose a new password has been sent if the mail address matches an existing account"

#7 Updated by Mischa The Evil 4 months ago

  • Duplicated by Defect #37517: User disclosure vulnerability via "Forgot password" functionality added

#8 Updated by Mischa The Evil 3 months ago

  • Target version set to Unplanned backlogs

Also available in: Atom PDF