Open rikukissa opened 3 weeks ago
@jpye-finch @altaopencrvs what do you think of always taking the user to the "Enter 6-digit authentication code" view in password recovery flow, even if the email they supplied doesn't work? That would improve security here significantly
Description
Forgotten password
This should really just say “Password reset link is sent to the email supplied” regardless the email being found or not
We should show this in any case:
Username reminder
Security assessment details
Technical Overview
References https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP- AT-002)
Potential Impact if Exploited
Recommendations Reconfigure the web application to prevent disclosing that a known/registered e-mail address was provided. The content of the HTTP response should be identical in both cases. Care should be taken to avoid introducing vulnerability to side-channel attacks (e.g. through deviant response times)