FS#48366 - Password reset for non-existing AUR accounts

Attached to Project: AUR web interface
Opened by Christian Jurk (commx) - Sunday, 28 February 2016, 12:41 GMT
Last edited by Lukas Fleischer (lfleischer) - Thursday, 23 April 2020, 00:18 GMT
Task Type Bug Report
Category Arch Projects
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
When requesting a password for an arbitrary email address, the "Forgot Password" function will show "Check your e-mail for the confirmation link.", regardless whether the used email address exists or not. This will confuse users, in case they used a different email address for their account and they don't receive any email anyway.
This task depends upon

Closed by  Lukas Fleischer (lfleischer)
Thursday, 23 April 2020, 00:18 GMT
Reason for closing:  Not a bug
Comment by Ike Devolder (BlackEagle) - Sunday, 28 February 2016, 12:52 GMT
This is perfectly normal. The website should not leak if the email you entered is registered or not. Its up to you to use the correct email address.
Comment by Christian Jurk (commx) - Sunday, 28 February 2016, 13:04 GMT
On the other hand, the registration page would tell whether the email address is in use or not. At least I'd suggest to change the wording for the "Forgot Password" function to be something like "A confirmation link has been sent to your email address, if it exists and is registered to our system". Security by Obscurity does not fit into my understanding on what Arch Linux stands for and a plus in nicer user experience is always a good point.
Comment by Ike Devolder (BlackEagle) - Sunday, 28 February 2016, 13:49 GMT
Ok the message could be better.

But not leaking if an email is registered is not security by obscurity.

If the registration page just returns if an email is in use, then there is an issue with the registration page.
Comment by Mark Weiman (markzz) - Monday, 21 March 2016, 15:11 GMT
On the forgot password page, it really doesn't have to report if there was an email address sent. It should just send to that email address if an account exists. If not, just do nothing.

On the registration page, it should inform the user the reason why the form submission failed. This includes "A user with this username exists" and "The email address provided is already used" and other sites do this.

Loading...