torrust-index icon indicating copy to clipboard operation
torrust-index copied to clipboard
verified publisher icon torrust

Mitigate the risk of information leakage through sign-up forms

Open josecelano opened this issue 2 years ago • 4 comments

When you use an email that has already been used by another user you get a message like this:

image

That allows users to easily check is a user with a given email is registered. Although this is very common behavior in a lot of online services, for example, LinkedIn:

image

I think we should try to mitigate it.

Proposal 1

Add a captcha and/or a rate limit (IP) to the registration form to at least make it harder to automatize checking a list of emails.

Proposal 2

  • Make the email always optional in the sign-up form.
  • Remove configuration option email_on_signup. The email would be always optional.
  • Allow email duplicates. You can sign up with somebody else's email.
  • The application does nothing with the user's email unless is validated. This should be always the case. For example, to reset passwords, send notifications, etc. For the time being, the email is only verified when email_verification_enabled option is enabled. The user's email is not used for anything else.
# ...

[auth]
email_on_signup = "Optional"

# ...

[mail]
email_verification_enabled = false
from = "[email protected]"
reply_to = "[email protected]"
username = ""
password = ""
server = ""
port = 25

# ...

Both proposals are compatible.

cc @torrust/torrustaceans

josecelano avatar Feb 29 '24 13:02 josecelano

Relates to: https://github.com/torrust/torrust-index/discussions/306

josecelano avatar Feb 29 '24 13:02 josecelano

Option 3:

Do not register the user until the email has been validated.

  1. Ask the user to enter email.
  2. Send email to user: a. Send registration link, if unregistered. b. Send "you already have an account" email, if already registered.
  3. User completes registration, logs in, or reset password.

da2ce7 avatar Feb 29 '24 14:02 da2ce7

Option 3:

Do not register the user until the email has been validated.

  1. Ask the user to enter email.
  2. Send email to user: a. Send registration link, if unregistered. b. Send "you already have an account" email, if already registered.
  3. User completes registration, logs in, or reset password.

Option 3:

Do not register the user until the email has been validated.

  1. Ask the user to enter email.
  2. Send email to user: a. Send registration link, if unregistered. b. Send "you already have an account" email, if already registered.
  3. User completes registration, logs in, or reset password.

Hi @da2ce7 I think that is what the program does when email_on_signup is Required and email_verification_enabled is true. But currently it also tells you that the email is taken. We could simply allow duplicate emails, but a user could mistakenly write a wrong email which is valid. In that case, would be impossible to re-use that account (username).

josecelano avatar Feb 29 '24 14:02 josecelano

@josecelano @da2ce7

I would do the following:

  1. Don't allow users to register until they verify their email adress.
  2. Add a captcha and/or a rate limit (IP) to the registration form to at least, make it harder to automatize checking a list of emails.
  3. I would NOT allow to have more than one account with the same email
  4. If a user tries to sign up/log in with someone's else's email, we could send a security warning to that email every time, letting that user know that someone is trying to sign up or sign in using that email.

I also think it could do some more research on this topic and see how other apps implements it.

mario-nt avatar Mar 04 '24 11:03 mario-nt