Indirect data leak of email adress

Currently the forgot password logic output whether an email adres exists, allowing for checking against the database if a certain email adres is accounted for.

Although minor, it is a data leak and should be fixed to not inform the outside world (any not logged in user/bot) about the existance or non-existance of an email adres in the database.

1 Like

Great spot!

Hi @JSHBV,

As a temporary workaround, you could change the message that’s displayed in HivePress using Loco Translate.

Perhaps to something like:

If the email address entered is associated with an existing account, a password reset link will be sent.

I hope this helps!

Cheers,
Chris :victory_hand:

No it will not, because the response of the requests, will identify if the email adres is present regardless of the message being displayed.

An nonexistant emailadress will return 404, an existing will return 200.

Hi,

Thanks for reporting this. The bug is confirmed, and we’ll fix it as soon as possible.

As for a temporary fix, there are two options:

  1. Change the text in Loco Translate as suggested by Chris. This will work because 404 may still appear if the username does not exist, and then it is less clear whether it is a username or email error, making it impossible to verify the email.

  2. Alternatively, try setting up reCAPTCHA for this form, and then bots will not be able to register.

I hope it helps