This PR resolves a security risk whereby email addresses can be brute force guessed through the returned error messages thus exposing user accounts.
Currently, the API returns two different error messages for incorrect password entry and incorrect password entry when a user account exists with the specified email address. This allows for enumeration of registered user accounts and therefore significantly narrows the number of brute force attempts to access an account.
Instead, as per OWASP (Open Web Application Security Project) a generic approach should be taken to the returned error:
Ensure registration, credential recovery, and API pathways are hardened against account enumeration attacks by using the same messages for all outcomes.
Fortunately this is a simple fix as it simply involves changing the string value returned from the API.
This problem has been discussed in these two existing issues:
- Summary
This PR resolves a security risk whereby email addresses can be brute force guessed through the returned error messages thus exposing user accounts.
Currently, the API returns two different error messages for incorrect password entry and incorrect password entry when a user account exists with the specified email address. This allows for enumeration of registered user accounts and therefore significantly narrows the number of brute force attempts to access an account.
Instead, as per OWASP (Open Web Application Security Project) a generic approach should be taken to the returned error:
Fortunately this is a simple fix as it simply involves changing the string value returned from the API.
This problem has been discussed in these two existing issues:
https://github.com/netlify/netlify-identity-widget/issues/225 https://github.com/netlify/gotrue-js/issues/74
- Test plan
NA
- Description for the changelog
Use generic security error message per OWASP guidance to prevent email address leaks.