Email enumeration prevention

[degeri]

It is currently possible for someone to figure out if a specific email address is registered with the VSP. We do have captcha for all the pages that expose this information (this would prevent automated attacks) but someone could still manually do these requests.

This information is exposed in two pages.

1. site.com/register if we give an email that already exists it throws the error This email address is already registered .

Fix:

Give a generic message regardless of if the email is registered or not (This is how politeia has implemented this)

We can have a message similar to politeia

Please check your inbox to verify your registration.

Note that, for privacy reasons, the VSP does not disclose whether an email address has already been registered. If you don't receive an email:

Check that [email protected] is the correct address.

Check your spam folder!

2. site.com/settings if an email address already exists will throw an error email address in use

Unlike the solution above we cannot fix this by simply giving a single generic message for both.It requires some additional fixing.

This is because "change email" triggers an email to the "old email" address. So depending on if the attacker received the email or not they can determine if the "new email" exists in the system. So we need to either.

a. send an email to "new email" first and send the "email changed" email to "old email" only after email confirmation.
or
b. send a notification email to the "old email" regardless of if the "new email" exists or not.

"b" seems to be the better option

[s-ben]

[amass01]

@s-ben
Hey there, are still working on it or is it free for all ? 🤔

[s-ben]

Nah man, was gonna but there was this Wheel of Fortune marathon on....

Not working on it @amassarwi, just joking around :) Looks like it's still open.

[degeri]

@amassarwi its open. You can work on this.