Closed
Bug 1934985
Opened 2 months ago
Closed 2 months ago
Security Issue: Password Sent in Plain Text via Forgot Password Feature
Categories
(addons.mozilla.org :: Security, enhancement)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: madhavverma079, Unassigned)
References
Details
When using the "Forgot Password" functionality, the application sends the user's password in plain text via email.
Steps to Reproduce:
- Go to the login page.
- Click on the "Forgot Password" link.
- Enter a registered email address and submit the request.
- Observe that the email contains the password in plain text.
Suggested Fixes:
- Replace plaintext password emails with secure password reset links.
- Hash passwords using bcrypt or Argon2.
- Avoid including sensitive information in email communications.
Priority: High
Severity: Critical
Reporter | ||
Updated•2 months ago
|
OS: Unspecified → All
Hardware: Unspecified → All
Comment 2•2 months ago
|
||
Assuming you are indeed talking about addons.mozilla.org, that's incorrect: the email you get from the Forgot Password feature (which is implemented by Mozilla accounts, not specific to addons.mozilla.org, so that's the wrong product/component) doesn't contain a password. It contains a confirmation code to proceed with the Password reset.
Status: UNCONFIRMED → RESOLVED
Closed: 2 months ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•