Open oriolgual opened 7 years ago
viktorsmari
commented
6 years ago Is it also possible to get an error msg if you are not on the 'municipal census database'?
See the related issue #169
It was a problem on layer 8 (the user wasn't on the municipal census database).
mrcasals
commented
6 years ago Isn't that leaking too much data to possible attackers?
viktorsmari
commented
6 years ago Possibly, are you referring to a scenario where an attacker signs up, and runs a check of multiple NIE numbers to see which ones are valid or?
andreslucena
commented
6 years ago @viktorsmari exactly, we're trying to prevent User Enumeration Attack. There's a trade-off between usability and security.
Someways to mitigate this are: a) Using a recaptcha (prevents automated attacks) b) Adding some throttling/blocking on the number of checks that a given user could made c) Improving the error message (ie "There was an error with your verification. Please contact suport@domain and send us a picture of your municipal census registry")
I think that the c) option is the easier and cleaner to implement.
viktorsmari
commented
6 years ago I like option C, if the user is sure he has typed in the correct format for the NIE (first comment).
Also, do you know which email I should contact, to verify if I am in the municipal census database?
From @andreslucena on February 8, 2017 16:18
:tophat: User Story
As a user, when I go to verify my residency I don't know what format the system expect that I introduce the data: is it NNNNNNNNNL or is it NNNNNNNNN-L or is it NNNNNNNNNl (letter on lowercase)?
:clipboard: Related documentation
:dart: Acceptance criteria
I should see some help or validation on the client (javascript) so I know what format I should introduce it.
:pushpin: Related issues
Copied from original issue: AjuntamentdeBarcelona/decidim#865