[OpenStreetMap] #5130: Reset password facility leaks email addresses
OpenStreetMap
trac at noreply.openstreetmap.org
Tue Feb 25 07:33:40 UTC 2014
#5130: Reset password facility leaks email addresses
----------------------+-------------------------
Reporter: oxplot | Owner: rails-dev@…
Type: defect | Status: new
Priority: critical | Milestone:
Component: website | Version:
Keywords: |
----------------------+-------------------------
When using the [[https://www.openstreetmap.org/user/forgot-password|Lost
Password facility]], openstreetmap warns the user if the entered email
address doesn't exist in the system.
This is a very well known security issue and can allow attackers to cut
the time needed to crack their way in by orders of magnitude (see a
mention of it under [[http://www.fishnetsecurity.com/6labs/resource-
library/white-paper/best-practices-secure-forgot-password-feature|"DON'T"
disclose valid usernames section]]).
The proper way is to show the success message for all inputs. If the user
mistyped their email, they won't receive an email and will retry.
--
Ticket URL: <https://trac.openstreetmap.org/ticket/5130>
OpenStreetMap <http://www.openstreetmap.org/>
OpenStreetMap is a free editable map of the whole world
More information about the rails-dev
mailing list