Lost password existing account disclosure

Question

Lost password existing account disclosure

Closed this issue 6 years ago · 4 comments

Should the api/auth/lostPassword?email=*** endpoint return anything other than a generic response i.e {"email":true} rather than what it currently does which is two different responses one if the account exists and one if it does not? It would probably be better for security if it returned a generic response much like /Security/lostpassword does.

Answer 1 · 2018-01-03T21:28:27.000Z

I have a proposed fix in the Webbuilders Group fork if you agree I'll submit a pull request accordingly for you to merge.

Answer 2 · 2018-01-03T21:57:12.000Z

Thanks @UndefinedOffset, sounds good to me! One suggestion, should we change "email" in the response to done or something else generic?

Answer 3 · 2018-01-03T22:29:14.000Z

Ya I like that idea, I've switched it to done and will open a pull shortly

Answer 4 · 2018-01-04T08:44:03.000Z

thanks @UndefinedOffset !