Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

sendResetPwd, information leak

See original GitHub issue

With the sendResetPwd action, if the email address does not exist, a 404 error is thrown.

I think this is an information leak, because thanks to that call, an attacker can find if an email address is valid or not (ie in the database). I think this call should not return the user info, and send the same empty response, whatever the case (user exists or not).

Regards.

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Reactions:3
  • Comments:8 (1 by maintainers)

github_iconTop GitHub Comments

2reactions
OnnoGabrielcommented, Jul 4, 2022

This is an old and closed issue. But in case anybody searches for a solution for this issue that works with REST and Websocket transport: You can always remove the error and unify the result that is returned to the frontend in the error and after hooks of a Feathers service. Here is a simple example for the sendResetPwd action of our auth-management' service:

  app.service('/auth-management').hooks({
    error: {
      all: [
        // Delete error and return only true after "sendResetPwd" request
        // => to hide any existence or not-existence of users
        (context) => {
          if (context.data && context.data.action === 'sendResetPwd') {
            delete context.error;
            context.result = true;
          }
        },
      ],
    },
    after: {
      all: [
        // Return only true after "sendResetPwd" request
        // => to hide any existence or not-existence of users
        (context) => {
          if (context.data && context.data.action === 'sendResetPwd') {
            context.result = true;
          }
        },
      ],
    },
  });
1reaction
claustrescommented, Sep 4, 2018

Yes or rate limiting.

Read more comments on GitHub >

github_iconTop Results From Across the Web

sendResetPwd, information leak · Issue #85 - GitHub
I think this is an information leak, because thanks to that call, an attacker can find if an email address is valid or...
Read more >
How to setup email verification in FeathersJS - Part 2 — Client ...
I'm using Vue 2 for client side authentication but React or Angular would work. Just define a route with two optional parameters. Feathers...
Read more >
Companies' Code Leaking More Passwords and Secrets
Organizations leaked more than 6 million passwords, API keys, and other sensitive data — collectively known as development "secrets" — in ...
Read more >
https://raw.githubusercontent.com/feathersjs/feath...
... **Closed issues:** - Invalid Data Received After Implementation ... send-reset-pwd.js creates wrong tokens ... sendResetPwd, information leak ...
Read more >
COMB: over 3.2 Billion Email/Password Combinations Leaked
So how did the COMB data leak happen? On Tuesday, February 2, COMB was leaked on a popular hacking forum. It contains billions...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Bad date format with SQL database

Next page

After resetting password user not able to login