Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password Reset Allows Any Username #2409

Closed
AdityaJ2305 opened this issue Aug 28, 2024 · 2 comments
Closed

Password Reset Allows Any Username #2409

AdityaJ2305 opened this issue Aug 28, 2024 · 2 comments
Labels
Backend FrontEnd

Comments

@AdityaJ2305
Copy link

Description

The password reset feature allows a reset request for any username, including invalid ones, without checking if the username exists.
Screenshot 2024-08-28 at 1 20 32 PM
it is returning res.ok = true for every username

Steps to Reproduce

  1. Go to the password reset page.
  2. Enter a random or invalid username.
  3. Submit the request and see that a success message is shown.

Expected Behavior

  • The system should validate if the username exists and return an error if it does not.

Actual Behavior

  • Success message is shown for any username entered, regardless of its validity.

Proposed Fix

  • Validate username existence properly before processing the request.
@github-project-automation github-project-automation bot moved this to Triage in Care Aug 28, 2024
@rithviknishad rithviknishad moved this from Triage to Up Next in Care Aug 28, 2024
@bodhish
Copy link
Member

bodhish commented Aug 29, 2024

It's intentional; As per OWASP we should do that.

Return a consistent message for both existent and non-existent accounts.

https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html

@bodhish
Copy link
Member

bodhish commented Aug 29, 2024

@rithviknishad 👆note

@rithviknishad rithviknishad moved this from Up Next to Triage in Care Aug 29, 2024
@gigincg gigincg closed this as not planned Won't fix, can't repro, duplicate, stale Aug 29, 2024
@github-project-automation github-project-automation bot moved this from Triage to Done in Care Aug 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Backend FrontEnd
Projects
Care
Status: Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@gigincg @bodhish @rithviknishad @AdityaJ2305