[OpenStreetMap] #5130: Reset password facility leaks email addresses
OpenStreetMap
trac at noreply.openstreetmap.org
Tue Feb 25 14:07:30 UTC 2014
#5130: Reset password facility leaks email addresses
-----------------------+-------------------------
Reporter: oxplot | Owner: rails-dev@…
Type: defect | Status: closed
Priority: critical | Milestone:
Component: website | Version:
Resolution: wontfix | Keywords:
-----------------------+-------------------------
Comment (by TomH):
To summarise the status of this:
* The reset password page leaks exactly one piece of information - the
fact that a given email address is associated with an account. It does not
tell you which account or anything else that could not be determined in
other ways.
* I have no problem changing the current system if somebody can provide
suggestions for a replacement which will not lead to a major loss of
usability - a lot of people using that page are not just trying to reset a
password for a known account but are unsure if they even have an account
so that needs to be born in mind.
* I do not believe that captcha's are generally useful - even the biggest
players have trouble keeping their captchas able to resist bots and we
would stand no chance.
--
Ticket URL: <https://trac.openstreetmap.org/ticket/5130#comment:5>
OpenStreetMap <http://www.openstreetmap.org/>
OpenStreetMap is a free editable map of the whole world
More information about the rails-dev
mailing list