[OpenStreetMap] #5130: Reset password facility leaks email addresses
OpenStreetMap
trac at noreply.openstreetmap.org
Tue Feb 25 13:56:36 UTC 2014
#5130: Reset password facility leaks email addresses
-----------------------+-------------------------
Reporter: oxplot | Owner: rails-dev@…
Type: defect | Status: closed
Priority: critical | Milestone:
Component: website | Version:
Resolution: wontfix | Keywords:
-----------------------+-------------------------
Comment (by oxplot):
Since you mentioned that you have chosen not to follow it, I assume this
has never been implemented. So there is actually no data that this change
would increase the number of emails you receive. As a solution to a
''possible'' increase, you could show a message to ask the user to retry
the procedure should they not receive the email promptly.
Now, regarding "terrible usability", I agree with you but it shouldn't
mean abandoning security. You (openstreetmap) are responsible for keeping
your users' data confidential. Now Apple's
[[https://iforgot.apple.com/password/verify/appleid|Forgot Password
feature]] tells you they've sent the email regardless. I mention Apple
because they're known for some of the best UX designs. However,
[[https://www.facebook.com/login/identify?ctx=recover|facebook]],
[[https://twitter.com/account/resend_password|twitter]],
[[https://instagram.com/accounts/password/reset/|instagram]],
[[http://www.reddit.com/password|reddit]],
[[https://en.wikipedia.org/wiki/Special:PasswordReset|wikipedia]],
[[https://github.com/sessions/forgot_password|github]] and others do what
OSM does. But with ''a difference'', they watch the usage very closely and
stop brute force attacks by use of reCAPTHCHA for instance (usability
anyone?). In contrast, I just ran a script to try 1000 reset requests in
under 2 minutes and OSM answered each and every one of them!
It'd be better usability if no one had to enter a password but we do it
because nothing else has the security vs usability balance that password
provides. But for reset password functionality, there is a choice. OSM,
however, is not doing one or the other, but half of one.
--
Ticket URL: <https://trac.openstreetmap.org/ticket/5130#comment:2>
OpenStreetMap <http://www.openstreetmap.org/>
OpenStreetMap is a free editable map of the whole world
More information about the rails-dev
mailing list