[OpenStreetMap] #5130: Reset password facility leaks email addresses

OpenStreetMap trac at noreply.openstreetmap.org
Tue Feb 25 13:56:36 UTC 2014


#5130: Reset password facility leaks email addresses
-----------------------+-------------------------
  Reporter:  oxplot    |      Owner:  rails-dev@…
      Type:  defect    |     Status:  closed
  Priority:  critical  |  Milestone:
 Component:  website   |    Version:
Resolution:  wontfix   |   Keywords:
-----------------------+-------------------------

Comment (by oxplot):

 Since you mentioned that you have chosen not to follow it, I assume this
 has never been implemented. So there is actually no data that this change
 would increase the number of emails you receive. As a solution to a
 ''possible'' increase, you could show a message to ask the user to retry
 the procedure should they not receive the email promptly.

 Now, regarding "terrible usability", I agree with you but it shouldn't
 mean abandoning security. You (openstreetmap) are responsible for keeping
 your users' data confidential. Now Apple's
 [[https://iforgot.apple.com/password/verify/appleid|Forgot Password
 feature]] tells you they've sent the email regardless. I mention Apple
 because they're known for some of the best UX designs. However,
 [[https://www.facebook.com/login/identify?ctx=recover|facebook]],
 [[https://twitter.com/account/resend_password|twitter]],
 [[https://instagram.com/accounts/password/reset/|instagram]],
 [[http://www.reddit.com/password|reddit]],
 [[https://en.wikipedia.org/wiki/Special:PasswordReset|wikipedia]],
 [[https://github.com/sessions/forgot_password|github]] and others do what
 OSM does. But with ''a difference'', they watch the usage very closely and
 stop brute force attacks by use of reCAPTHCHA for instance (usability
 anyone?). In contrast, I just ran a script to try 1000 reset requests in
 under 2 minutes and OSM answered each and every one of them!

 It'd be better usability if no one had to enter a password but we do it
 because nothing else has the security vs usability balance that password
 provides. But for reset password functionality, there is a choice. OSM,
 however, is not doing one or the other, but half of one.

-- 
Ticket URL: <https://trac.openstreetmap.org/ticket/5130#comment:2>
OpenStreetMap <http://www.openstreetmap.org/>
OpenStreetMap is a free editable map of the whole world



More information about the rails-dev mailing list