sendResetPwd, information leak
See original GitHub issueWith the sendResetPwd
action, if the email address does not exist, a 404 error is thrown.
I think this is an information leak, because thanks to that call, an attacker can find if an email address is valid or not (ie in the database). I think this call should not return the user info, and send the same empty response, whatever the case (user exists or not).
Regards.
Issue Analytics
- State:
- Created 6 years ago
- Reactions:3
- Comments:8 (1 by maintainers)
Top Results From Across the Web
sendResetPwd, information leak · Issue #85 - GitHub
I think this is an information leak, because thanks to that call, an attacker can find if an email address is valid or...
Read more >How to setup email verification in FeathersJS - Part 2 — Client ...
I'm using Vue 2 for client side authentication but React or Angular would work. Just define a route with two optional parameters. Feathers...
Read more >Companies' Code Leaking More Passwords and Secrets
Organizations leaked more than 6 million passwords, API keys, and other sensitive data — collectively known as development "secrets" — in ...
Read more >https://raw.githubusercontent.com/feathersjs/feath...
... **Closed issues:** - Invalid Data Received After Implementation ... send-reset-pwd.js creates wrong tokens ... sendResetPwd, information leak ...
Read more >COMB: over 3.2 Billion Email/Password Combinations Leaked
So how did the COMB data leak happen? On Tuesday, February 2, COMB was leaked on a popular hacking forum. It contains billions...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
This is an old and closed issue. But in case anybody searches for a solution for this issue that works with REST and Websocket transport: You can always remove the error and unify the result that is returned to the frontend in the error and after hooks of a Feathers service. Here is a simple example for the
sendResetPwd
action of ourauth-management'
service:Yes or rate limiting.