Defect #6254
closed
Remove "Unknown user" notification on password request with non-existent email address
Added by Aron Rotteveel about 14 years ago.
Updated about 1 year ago.
Category:
Accounts / authentication
Description
Currently, it is possible to retrieve valid e-mailaddreses from the system by simply trying to request a password for it. If the emailaddress is not valid, Redmine will show a notification stating this.
It would be better to have this form output a success message in every scenario in order to make e-mail harvesting harder.
Files
- Has duplicate Defect #25144: Account Harvesting login issue added
Aron Rotteveel wrote:
It would be better to have this form output a success message in every scenario in order to make e-mail harvesting harder.
I completely agree. Redmine should always display notice_account_lost_email_sent ("An email with instructions to choose a new password has been sent to you.").
Hello,
I comment on this 12 years old defect because this is the only active one I found regarding this subject.
Is there a version in which this issue has been addressed, or a workaround ?
Thanks.
Regards,
JL
The attached patch changes the message when the entered email address is invalid as follows. Comments are welcome.
Before: "Invalid user"
After: "An email with instructions to choose a new password has been sent to you"
This patch should indeed do the trick, thanks !
I would even suggest updating the message to more accurately reflect the reality. Something like "An email with instructions to choose a new password has been sent if the mail address matches an existing account"
- Has duplicate Defect #37517: User disclosure vulnerability via "Forgot password" functionality added
- Target version set to Unplanned backlogs
Setting the target version to 5.1.0.
- Subject changed from Remove 'invalid user' notification on password request with invalid e-mailadress to Remove "Unknown user" notification on password request with non-existent email address
- Status changed from New to Closed
- Assignee set to Go MAEDA
- Resolution set to Fixed
- Start date deleted (
2010-08-31)
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by