Page MenuHomePhorge
Create Task
Maniphest T15091

Possible to find whether an email is attached to an account
Closed, WontfixPublic
Actions

Description

Received via OpenBugBounty to Miraheze.

Bug : Email enumeration
Enumeration of email addresses of already registered users is possible, and or, checking if a user with a specific email address is registered in the website and will then be used for phishing attacks or any malicious intent.

In the "Forgot Password" section, there is an implemented security measure regarding this specific flaw.

Poc:

  1. go to https://phabricator.miraheze.org/login/email/
  2. reset password with email not registered

you got this response : " There is no account associated with that email address. "
and when you tap email already registered you got response told you that the email was sent to your mail

The password reset function should provide a generic reply saying you have mail if account exists.

I will also report to Phab

Event Timeline

RhinosF1 created this task.Apr 17 2022, 07:11
RhinosF1 created this object in space S1 Public.
RhinosF1 created this object with visibility "Custom Policy".
Herald added subscribers: Matthew, chris, speck. · View Herald TranscriptApr 17 2022, 07:11
RhinosF1 added projects: Security, People (archived).Apr 17 2022, 07:11
RhinosF1 added a comment.Apr 17 2022, 07:19

Note: reporter exploited without permission

avivey subscribed.Apr 18 2022, 18:45

That's intentional (upstream) because it's very hard to make any actual attack with this information can't be made without it.

Note: reporter exploited without permission

I don't understand this sentence...

avivey edited projects, added People; removed People (archived).Apr 6 2023, 11:14
avivey closed this task as Wontfix.Jun 3 2023, 08:13
avivey claimed this task.

Closing for now as "we're ok with this", and there was no interaction on this ticket for a while.

RhinosF1 added a comment.Jun 3 2023, 10:23

Can this be made public?

avivey changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 3 2023, 10:28
Herald added a subscriber: tobiaswiese. · View Herald TranscriptJun 3 2023, 10:28
avivey added a comment.Jun 3 2023, 10:29
In T15091#9775, @RhinosF1 wrote:

Can this be made public?

👍

valerio.bozzolan subscribed.Jun 3 2023, 10:52
valerio.bozzolan added a comment.Jun 3 2023, 10:54

If I've understood correctly,

From a data protection point of view, it makes sense that anonymous users cannot know whether an address is registered or not.

Many CMSs as a solution adopt precisely generic messages such as "If this email is registered, you have received a reset email" or something like that.

speck added a comment.Jun 3 2023, 16:08

Yes. The trade off would be user experience. I have absolutely spent 15+ minutes waiting for a reset email on sites after having either typo’d or put in a different email address from the one I signed up with.

While it could be seen as an information leak it only works if you know the email before-hand. I would probably be in favor of leaving the existing behavior but making sure that form is rate limited to something like 5 requests in 30 or 60 min.

Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under Apache 2.0 or other open source licenses. · CC BY-SA 4.0 · Apache 2.0