R06 In password recovery flow, do not reveal if an email works or not

[rikukissa]

Description

Forgotten password

This should really just say “Password reset link is sent to the email supplied” regardless the email being found or not

We should show this in any case:

Username reminder

Security assessment details

Technical Overview

The application allowed the enumeration of e-mail addresses through the “forgot password” function. Due to the application's different responses it was possible to determine the validity of an e-mail address. In this case, when the supplied email address was invalid, the application returned a 401 Response Code, whilst a valid email address returned a 200 Response Code. Note: Due to the successful implementation of a rate limit within the application, the severity of this issue has been reduced from a Medium to a Low as rapid enumeration of accounts would be significantly more difficult to achieve.

References https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP- AT-002)

Potential Impact if Exploited

The enumeration of valid e-mail addresses could be used to make more targeted attacks against an account, or aid during social engineering attacks.

Recommendations Reconfigure the web application to prevent disclosing that a known/registered e-mail address was provided. The content of the HTTP response should be identical in both cases. Care should be taken to avoid introducing vulnerability to side-channel attacks (e.g. through deviant response times)

[rikukissa]

@jpye-finch @altaopencrvs what do you think of always taking the user to the "Enter 6-digit authentication code" view in password recovery flow, even if the email they supplied doesn't work? That would improve security here significantly