Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Change user workflows to prevent user enumeration attacks #8537

Merged
merged 2 commits into from
Dec 14, 2021

Conversation

andreslucena
Copy link
Member

🎩 What? Why?

On some workflows, it's possible to check if an email was registered in the application. For instance, in the "Forgot your password?" page if an attacker tries with a registered email, she'll get an error message (You will receive an email with instructions on how to reset your password in a few minutes.) that's different to a non-existing user account ("could not be found. Did you sign up previously?"). This attack gets the name of "Account enumeration".

This PR fixes this partially, as it isn't solved in registration form, but it is solved in others like "forgot your password" or "resend unlock instructions".

Testing

  1. Go to Resend confirmation instructions, Forgot your password?, or Resend unlock instructions forms
  2. Enter an existing user email
  3. Click in "Send button"
  4. See alert
  5. Go back to the same form
  6. Enter a non-existing user email
  7. Click in "Send button"
  8. See that you have the same alert

📷 Screenshots

image

♥️ Thank you!

@andreslucena andreslucena merged commit 0868353 into develop Dec 14, 2021
@andreslucena andreslucena deleted the feature/devise-paranoid branch December 14, 2021 15:18
@andreslucena andreslucena added the type: change PRs that implement a change for an existing feature label Jan 10, 2022
@alecslupu alecslupu added this to the 0.26.0 milestone Jul 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
module: core target: user-experience type: change PRs that implement a change for an existing feature
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants