Valour icon indicating copy to clipboard operation
Valour copied to clipboard
verified publisher icon Valour-Software

🐛 Bug - Website confirms if email is associated with an account or not

Open CleverSource opened this issue 4 years ago • 2 comments

Describe the bug When resetting a password the frontend will confirm whether an account exists with the specified email.

To Reproduce Steps to reproduce the behavior:

  1. Visit valour.gg
  2. Click on 'Forgot my password'
  3. Enter a random email address (that isn't associated with a Valour account)
  4. You will see that it can't find an account with the specified email.

Expected behavior This shouldn't state whether the email is associated with an account, the benefit of not revealing whether a password reset email has matched an account, is that you don't confirm a list of users' email addresses to an attacker and don't let other people know that a given user is using your site.

System Information:

  • OS: Windows
  • Valour Version 0.0.8.2 Pre-Pre-Alpha
  • Valour Platform: Web
    • Browser: Chrome 88.0.4324.182

CleverSource avatar Feb 19 '21 14:02 CleverSource

Not sure if this is something that can be easily fixed. When you register, we have to let you know if an email has already been used - for obvious reasons. If we remove this from logins, people could just try to register under your email for the same effect. Curious if anyone disagrees.

SpikeViper avatar May 06 '21 02:05 SpikeViper

Not sure if this is something that can be easily fixed. When you register, we have to let you know if an email has already been used - for obvious reasons. If we remove this from logins, people could just try to register under your email for the same effect. Curious if anyone disagrees.

Usually a login & register page can be somewhat rate-limited since a user shouldn't be constantly logging in or signing up. This would prevent it from being used maliciously as a bad actor would only have a few chances to check if an email exists.

With a forgot password page, it's safe to assume several people can forget a website each day, and if you rate limited this page you'd fully lock people out in circumstances they forgot a password several times.

I still believe the best option is to just give a generic message saying "if an account with this email exists, we have sent them an email" or whatnot.

CleverSource avatar May 06 '21 16:05 CleverSource