Quantcast Password Reset should not be sending plaintext passwords!!! - ESOUI
Thread Tools Display Modes
08/19/19, 02:10 PM   #1
Lent
 
Lent's Avatar
AddOn Author - Click to view addons
Join Date: Apr 2019
Posts: 6
Exclamation Password Reset should not be sending plaintext passwords!!!

Currently the password reset function does a couple things wrong:

a) It tells the user whether or not an email is registered (meaning an attacker could use the entry to find valid accounts). This can also be a privacy issue because if I know a target's email address, I can use your form to see if they have an account, and thus attach that to their identity.

b) More importantly, upon requesting a password reset, a new password is sent to the user in plaintext. The user is not required to change their password upon login - so this is super scary.

Proposed fixes:

a) Change password reset to something a bit more ambiguous ("If your account is registered with us, you'll receive an email shortly with a link to reset your password", or similar). If you couple this with proper handling on the backend (e.g. to avoid timing attacks), an attacker would not be able to guess valid accounts.

b) Change the password reset link in email to point to a password reset field, and change the password directly on the site. This keeps the data atleast partially encrypted in transit because they're sending their password data to you over HTTPS. Never, ever, ever, ever, ever, EVER send the user any account details over email (or ever display their password period).

If the forum software/site integration you're using doesn't have the ability to change password on-site, then a temporary password via email is *begrudgingly* acceptable, ONLY as long as you force them to change their password immediately before letting them do anything else.
  Reply With Quote
08/19/19, 02:48 PM   #2
Dolby
Every day I'm shuffling
 
Dolby's Avatar
Premium Member
WoWInterface Admin
Join Date: Feb 2004
Posts: 1,188
Thanks, will look into it.

Just deployed a fix for issue A, it acts the same now if email is not valid.

issue B is going to take more time.

Last edited by Dolby : 08/19/19 at 03:37 PM.
  Reply With Quote

ESOUI » Site Forums » Site help, bugs, suggestions/questions » Password Reset should not be sending plaintext passwords!!!

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off