[wp-trac] [WordPress Trac] #31787: Password Reset Form Information Disclosure
WordPress Trac
noreply at wordpress.org
Fri Mar 27 16:28:11 UTC 2015
#31787: Password Reset Form Information Disclosure
--------------------------+-----------------------------
Reporter: mrtortai | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: trunk
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
On the WordPress Lost Your Password form (/wp-
login.php?action=lostpassword):
If you enter an incorrect username the following message will display:
"ERROR: Invalid username or e-mail."
And if you enter an incorrect email address, the following message will
display: "ERROR: There is no user registered with that email address."
These error messages provide helpful information to an attacker or
automated bot or spammers by helping them determine correct usernames and
email addresses.
For an alternative approach, we can look at Apple, Namecheap, Cloudflare,
for example:
Apple:
https://iforgot.apple.com/password/verify/appleid
Enter any incorrect Apple ID. The value can be accepted and the form
provides no indication that the Apple ID is incorrect.
Namecheap:
https://manage.www.namecheap.com/myaccount/rememberpwd.asp
Enter an incorrect username or email address.
Nondescript Message: "If your email address exists in our database, you
will receive a password recovery link at your email address in a few
minutes!"
Cloudflare:
https://www.cloudflare.com/forgot-password
Enter an incorrect email address.
Nondescript Message: "If an account with this email exists in the system
you will receive an email confirmation shortly."
Suggestions:
The WordPress Lost Your Password form should not provide any indication if
the username or email address entered is correct or incorrect.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/31787>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list