Closed Bug 1934985 Opened 2 months ago Closed 2 months ago

Security Issue: Password Sent in Plain Text via Forgot Password Feature

Categories

(addons.mozilla.org :: Security, enhancement)

enhancement

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: madhavverma079, Unassigned)

References

Details

When using the "Forgot Password" functionality, the application sends the user's password in plain text via email.

Steps to Reproduce:

  1. Go to the login page.
  2. Click on the "Forgot Password" link.
  3. Enter a registered email address and submit the request.
  4. Observe that the email contains the password in plain text.

Suggested Fixes:

  1. Replace plaintext password emails with secure password reset links.
  2. Hash passwords using bcrypt or Argon2.
  3. Avoid including sensitive information in email communications.

Priority: High
Severity: Critical

OS: Unspecified → All
Hardware: Unspecified → All
Duplicate of this bug: 1935018

Assuming you are indeed talking about addons.mozilla.org, that's incorrect: the email you get from the Forgot Password feature (which is implemented by Mozilla accounts, not specific to addons.mozilla.org, so that's the wrong product/component) doesn't contain a password. It contains a confirmation code to proceed with the Password reset.

Status: UNCONFIRMED → RESOLVED
Closed: 2 months ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.