Vulnerability - Username cycling #771
Assignees
Comments
|
When a user enters an incorrect email and/or password they will now get the same error message. Meaning it is now harder to username cycle.
|
|
We haven't made all errors generic, the system still warns for poorly formatted email addresses, for example. |
KateMJAC
pushed a commit
that referenced
this issue
May 20, 2021
* Display a generic erorr for wrong password or user not found * Update SignIn.vue replicating changes from local copy due to a 403 error * adding lodash as explicit dependency Co-authored-by: warrensearle <warren.searle@judicialappointments.digital>
lloback
pushed a commit
that referenced
this issue
Jul 20, 2021
* Display a generic erorr for wrong password or user not found * Update SignIn.vue replicating changes from local copy due to a 403 error * adding lodash as explicit dependency Co-authored-by: warrensearle <warren.searle@judicialappointments.digital>
joy-ade
pushed a commit
that referenced
this issue
Aug 10, 2021
* 517 Collect more detailed history of qualifying test responses - Save history - on Exit Modal - on information page - on review - on Situational Judgement - Save session - on skip - on SAve * Disable circleci config * Include CODEOWNERS * digital-platform#305 Include pull request template * Include lint and test in PR workflow * Fix the broken preview URLs and workflow (#752) * Small change to test broken * Preview workflow should use node 10, for now * Update package-lock * Small change to test fixed * test to fix Co-authored-by: Tom Russell <TR115251@hotmail.co.uk> * #729 Fixed errors on Qualifications page (#734) * #729 Fixed errors on Qualifications page * #729 Changes as per PR comments Co-authored-by: Maria Brookes <maria_brookes@yahoo.co.uk> Co-authored-by: warrensearle <warren.searle@judicialappointments.digital> * #708 account creation issues (#751) * Add await into account creation - improve password validation * sort sign-in chronology * add and fix password tests * Add await into account creation - improve password validation * sort sign-in chronology * add and fix password tests * fix signUp test Co-authored-by: warrensearle <warren.searle@judicialappointments.digital> * #720 Added a message if vacancy was unpublished (#732) * #720 Added a message if vacancy was unpublished * #720 Display message if vacancy unpublished * Made changes to make applications appear * Made changes to make applications appear * Made changes to make applications appear * WIP * #720 Made changes to accommodate unpublished vacancy Co-authored-by: Maria Brookes <maria_brookes@yahoo.co.uk> Co-authored-by: warrensearle <warren.searle@judicialappointments.digital> * Update github workflow files * Bump version number to 1.39.0 * Remove circleCI config * Update README.md * Bump version number to 1.40.0 * Update workflows to target staging and production * Bump version number to 1.39.0 * Remove name-blind sift and phone assessment from timeline (#753) * remove name-blind sift and phone assessment from timeline * fix timeline tests * delete commented code Co-authored-by: HalcyonJAC <79906532+HalcyonJAC@users.noreply.github.com> * Security/769 weak passwords allowed in reset form (#778) * Reset PW component with proper validation * check for valid action code * #771 Authentication Generic Errors (#775) * Display a generic erorr for wrong password or user not found * Update SignIn.vue replicating changes from local copy due to a 403 error * adding lodash as explicit dependency Co-authored-by: warrensearle <warren.searle@judicialappointments.digital> * #1289 Remove gaps in employment from non-legal exercises (#761) * inital changes * Update readme * remove commented code Co-authored-by: Warren Searle <warren@precise-minds.co.uk> * #1313 Location preferences (#777) * wip * wip * ranked choice changes * remove unrelated changes * remove padding * remove phantom checkbox * add to review page * remove from review page [wrong branch] Co-authored-by: warrensearle <warren.searle@judicialappointments.digital> * Workflow: on merge. Change develop to main branch * Bump version number to 1.40.0 * 517 Collect more detailed history of qualifying test responses - Save history - on Exit Modal - on information page - on review - on Situational Judgement - Save session - on skip - on SAve * [517] fix anlytics * [517] resolve conflict package-lock Co-authored-by: Lisias (Lee) Loback <lisias@loback.co.uk> Co-authored-by: Warren Searle <warren@precise-minds.co.uk> Co-authored-by: warrensearle <warren.searle@judicialappointments.digital> Co-authored-by: Tom Russell <TR115251@hotmail.co.uk> Co-authored-by: Maria Brookes <40855898+mbrookeswebdev@users.noreply.github.com> Co-authored-by: Maria Brookes <maria_brookes@yahoo.co.uk> Co-authored-by: tomlovesgithub <44227249+tomlovesgithub@users.noreply.github.com> Co-authored-by: HalcyonJAC <79906532+HalcyonJAC@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When attempting to sign-in with an invalid email address the following error appears:
When attempting to sign-in with a valid email but invalid password the following error appears:
The error message changes depending on whether the email address entered is for a registered user account or not. This means that a bad actor could cycle email addresses until they discover a valid one.
The text was updated successfully, but these errors were encountered: