Do not disclose whether a user account exists or not when a user clicks "forgot password"

RESOLVED FIXED in Bugzilla 5.0

Status

()

--
enhancement
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: LpSolit, Assigned: LpSolit)

Tracking

(Blocks: 1 bug)

unspecified
Bugzilla 5.0
Bug Flags:
approval +

Details

Attachments

(1 attachment)

(Assignee)

Description

6 years ago
If you ask to change your forgotten password and you type an email address which doesn't exist, then the message should be the same as the one you get if the user account exists. See bug 670887 for some of the rationale.
(Assignee)

Comment 1

6 years ago
Bonus point: the email sent to change the password should also include the IP address of the user asking for a new password. This way, this would give us a chance to track a potential attacker if many users receive the "change password" email with the same IP address in it.
(Assignee)

Comment 2

6 years ago
Created attachment 756536 [details] [diff] [review]
patch, v1
Assignee: user-accounts → LpSolit
Status: NEW → ASSIGNED
Attachment #756536 - Flags: review?(dkl)
Comment on attachment 756536 [details] [diff] [review]
patch, v1

Review of attachment 756536 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good and worked as expected. Nit can be fixed on checkin. r=dkl

::: template/en/default/account/password/forgotten-password.txt.tmpl
@@ +12,4 @@
>  X-Bugzilla-Type: admin
>  
>  You have (or someone impersonating you has) requested to change your 
> +[%+ terms.Bugzilla %] password. The request comes from [% ip_addr %].

nit: s/comes/originated/
Attachment #756536 - Flags: review?(dkl) → review+
(Assignee)

Updated

6 years ago
Flags: approval+
Target Milestone: --- → Bugzilla 5.0
(Assignee)

Comment 4

6 years ago
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified token.cgi
modified Bugzilla/Token.pm
modified template/en/default/account/password/forgotten-password.txt.tmpl
modified template/en/default/global/messages.html.tmpl
Committed revision 8634.
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
(Assignee)

Updated

5 years ago
Duplicate of this bug: 958551
Duplicate of this bug: 965149
(Assignee)

Updated

4 years ago
Duplicate of this bug: 1038297
You need to log in before you can comment on or make changes to this bug.