dcrstakepool icon indicating copy to clipboard operation
dcrstakepool copied to clipboard

Email enumeration prevention

Open degeri opened this issue 6 years ago • 4 comments

It is currently possible for someone to figure out if a specific email address is registered with the VSP. We do have captcha for all the pages that expose this information (this would prevent automated attacks) but someone could still manually do these requests.

This information is exposed in two pages.

  1. site.com/register if we give an email that already exists it throws the error This email address is already registered .

image

Fix:

Give a generic message regardless of if the email is registered or not (This is how politeia has implemented this)

We can have a message similar to politeia

Please check your inbox to verify your registration.

Note that, for privacy reasons, the VSP does not disclose whether an email address has already been registered. If you don't receive an email:

Check that [email protected] is the correct address.

Check your spam folder!

  1. site.com/settings if an email address already exists will throw an error email address in use

image

Unlike the solution above we cannot fix this by simply giving a single generic message for both.It requires some additional fixing.

This is because "change email" triggers an email to the "old email" address. So depending on if the attacker received the email or not they can determine if the "new email" exists in the system. So we need to either.

a. send an email to "new email" first and send the "email changed" email to "old email" only after email confirmation. or b. send a notification email to the "old email" regardless of if the "new email" exists or not.

"b" seems to be the better option

degeri avatar Jun 24 '19 17:06 degeri

image

s-ben avatar Jun 28 '19 01:06 s-ben

@s-ben Hey there, are still working on it or is it free for all ? :thinking:

amass01 avatar Aug 22 '19 23:08 amass01

Nah man, was gonna but there was this Wheel of Fortune marathon on....

Not working on it @amassarwi, just joking around :) Looks like it's still open.

s-ben avatar Aug 23 '19 05:08 s-ben

@amassarwi its open. You can work on this.

degeri avatar Aug 23 '19 07:08 degeri