Re: Hide email validation in "Lost password" page? -- Security bug

[Davi Leal]

Victor Engmark wrote:
> I just tried the Lost password,
> and I think we shouldn't tell the user whether the email was found in
> the database, to avoid anyone checking up on emails they know. Two worst
> case scenarios are that our site can be used by spammers to verify addresses
> they've collected, and that an employer can check which employees are
> looking for new jobs. We could instead just show a message including the
> following information:
>
>    - The email should arrive shortly, IFF the email is found in our user
>    database.
>    - If you don't receive an email, please check the spelling and try
>    again.

I agree!. That can be considered a security bug about confidentiality.


> For users to be able to detect their error after the fact, we could let the
> email stay in the field after submission.

Good point.


> To stop pranksters and accidental double-clicks from annoying users, we
> could also add a restriction that no email will be sent if an email was sent
> to the same address less than X seconds / minutes before. We should probably
> change the message to reflect that, to avoid even a white lie (ref. "your
> email will arrive shortly").

This extra addition requires we create a new field at the E1_Entities
table to save the last lost-password-request time stamp. But with the
current data base model, we can only do it for the emails (entities) which
are already registered. So the spammers could note what email exists doing
several quick requests.

We could use a specific LO_LostPassword table to save both registered and
not registered email lost-password-request, but is it too much work
for such feature addition.

Abstract:
  I personally think this last extra addition is not needed.


> What do you think?

Please, add a savannah task. Of course, If you want, you can develop this
bug fix.

Davi