Page MenuHomePhorge

Possible to find whether an email is attached to an account
Closed, WontfixPublic

Description

Received via OpenBugBounty to Miraheze.

Bug : Email enumeration
Enumeration of email addresses of already registered users is possible, and or, checking if a user with a specific email address is registered in the website and will then be used for phishing attacks or any malicious intent.

In the "Forgot Password" section, there is an implemented security measure regarding this specific flaw.

Poc:

  1. go to https://phabricator.miraheze.org/login/email/
  2. reset password with email not registered

you got this response : " There is no account associated with that email address. "
and when you tap email already registered you got response told you that the email was sent to your mail

The password reset function should provide a generic reply saying you have mail if account exists.

I will also report to Phab

Event Timeline

RhinosF1 created this object in space S1 Public.
RhinosF1 created this object with visibility "Custom Policy".

Note: reporter exploited without permission

That's intentional (upstream) because it's very hard to make any actual attack with this information can't be made without it.

Note: reporter exploited without permission

I don't understand this sentence...

avivey claimed this task.

Closing for now as "we're ok with this", and there was no interaction on this ticket for a while.

avivey changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 3 2023, 10:28

Can this be made public?

👍

If I've understood correctly,

From a data protection point of view, it makes sense that anonymous users cannot know whether an address is registered or not.

Many CMSs as a solution adopt precisely generic messages such as "If this email is registered, you have received a reset email" or something like that.

Yes. The trade off would be user experience. I have absolutely spent 15+ minutes waiting for a reset email on sites after having either typo’d or put in a different email address from the one I signed up with.

While it could be seen as an information leak it only works if you know the email before-hand. I would probably be in favor of leaving the existing behavior but making sure that form is rate limited to something like 5 requests in 30 or 60 min.