Reset Password: Email is sent even though the user is not registered

default discord avatar
Jed
6 months ago
10
  • default discord avatar
    thisisnotchris
    6 months ago

    I'm going to guess the intended purpose is not to reveal if the email was valid or not



    The same kind of reason why when you login to a login form, on the server if the password fails, you dont want to respond "wrong password", because then they know that the email exists but wrong password

  • default discord avatar
    Jed
    6 months ago

    Can we customize this to a message



    or can we customize this to check if the user exists

  • default discord avatar
    Kyr
    6 months ago

    thisisnotchris is correct, it will be for security.



    Anywhere that an attacker could attempt to learn whether a username/email is valid/registered needs to respond with generic messages.



    A good resource for this sort of thing can be found on the OWASP website -

    https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html

    It

    should not

    actually send an email to users that don't appear in the system though. That would just be silly.

  • default discord avatar
    thisisnotchris
    6 months ago

    My guess is that it doesn't send the emails, but the message relayed was confusing to them

  • default discord avatar
    Kyr
    6 months ago

    99% of all "forgot password" processes that use sending an email link to let you reset your password will use very similar wording. Most will indicate success regardless of whether the email exists or not.



    The problem is that the message isn't the only thing an attacker can check to see if the user exists. They can test how long it takes the system to show the message and use differences in timing to guess more accurately whether a user exists. For this reason most systems will not only show the exact same message regardless of the user's existence but will also not even wait for the check to happen before showing the success message.



    They will "fire and forget" a request to send a password reset for the email entered, then immediately show the message without waiting for the result. This means that the timing will be the same for any email address entered regardless of it's existence in the system.

  • default discord avatar
    Jed
    6 months ago

    Our clients wants it to be customized to "Email not found, please use an existing email". Since this will be just only given to their employees not to the public



    That's the only reason why I wanted t oconfirm if these cna be customized

  • default discord avatar
    Kyr
    6 months ago

    If the login page is open to the internet it doesn't matter if only employees will be given the link, it can be discovered by anyone. If they are keeping it 100% on a local/internal network the risk is less, but not zero since network breaches do happen.



    Fundamentally, this request is dangerous nonsense and if they were my client I'd be asking someone higher up why they think cybersecurity is unimportant.



    It

    might

    be something that can be overridden in the admin UI, but I've never looked into it for obvious reasons. If not, and If they are committed to opening themselves up to cyber attacks, then I'd suggest that it would require cloning the payload repo and building a custom version to override the in-built security features as they require... but that would also mean that future upgrades would be more difficult.



    I'd certainly be asking for a waiver of liability before carrying out any such work.

Open the post
Continue the discussion in Discord
Like what we're doing?
Star us on GitHub!

Star

Connect with the Payload Community on Discord

Discord

online

Can't find what you're looking for?

Get help straight from the Payload team with an Enterprise License.