Reset Password: Email is sent even though the user is not registered
I'm going to guess the intended purpose is not to reveal if the email was valid or not
The same kind of reason why when you login to a login form, on the server if the password fails, you dont want to respond "wrong password", because then they know that the email exists but wrong password
Can we customize this to a message
or can we customize this to check if the user exists
thisisnotchris is correct, it will be for security.
Anywhere that an attacker could attempt to learn whether a username/email is valid/registered needs to respond with generic messages.
A good resource for this sort of thing can be found on the OWASP website -
https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.htmlIt
should notactually send an email to users that don't appear in the system though. That would just be silly.
My guess is that it doesn't send the emails, but the message relayed was confusing to them
99% of all "forgot password" processes that use sending an email link to let you reset your password will use very similar wording. Most will indicate success regardless of whether the email exists or not.
The problem is that the message isn't the only thing an attacker can check to see if the user exists. They can test how long it takes the system to show the message and use differences in timing to guess more accurately whether a user exists. For this reason most systems will not only show the exact same message regardless of the user's existence but will also not even wait for the check to happen before showing the success message.
They will "fire and forget" a request to send a password reset for the email entered, then immediately show the message without waiting for the result. This means that the timing will be the same for any email address entered regardless of it's existence in the system.
Our clients wants it to be customized to "Email not found, please use an existing email". Since this will be just only given to their employees not to the public
That's the only reason why I wanted t oconfirm if these cna be customized
If the login page is open to the internet it doesn't matter if only employees will be given the link, it can be discovered by anyone. If they are keeping it 100% on a local/internal network the risk is less, but not zero since network breaches do happen.
Fundamentally, this request is dangerous nonsense and if they were my client I'd be asking someone higher up why they think cybersecurity is unimportant.
It
mightbe something that can be overridden in the admin UI, but I've never looked into it for obvious reasons. If not, and If they are committed to opening themselves up to cyber attacks, then I'd suggest that it would require cloning the payload repo and building a custom version to override the in-built security features as they require... but that would also mean that future upgrades would be more difficult.
I'd certainly be asking for a waiver of liability before carrying out any such work.
Continue the discussion in Discord
Star
Discord
online
Get help straight from the Payload team with an Enterprise License.