alwaysdata All Projects: Tasklist

	ID	Status	Summary	Opened by
	19	Closed	~~User Enumeration Through Forgot Password Vulnerability~~	basil	Task Description The application's "Forgot Password" feature allows user enumeration. This is because the application responds with a different message depending on whether the submitted email address is registered or not. (https://admin.alwaysdata.com/password/lost/) steps to Reproduce: Access the "Forgot Password" page. Enter a random, non-registered email address. Submit the request. Observe the response message: the message states "There is no account with this email address," which means that user enumeration is possible. An attacker could exploit this vulnerability to: Gather a list of valid user email addresses. Launch targeted phishing attacks. Use the information to attempt password guessing or brute force attacks Remediation: Implement Generic Response: The application should provide the same response message regardless of whether the email address is registered or not. This prevents attackers from differentiating between valid and invalid accounts. Additional Notes: i am aware that this bug is not eligible for a bounty but wanted to bring it to the team's attention. Best Wishes -Basil

Closed

~~User Enumeration Through Forgot Password Vulnerability~~

Task Description

The application's "Forgot Password" feature allows user enumeration. This is because the application responds with a different message depending on whether the submitted email address is registered or not.
(https://admin.alwaysdata.com/password/lost/)

steps to Reproduce:

Access the "Forgot Password" page.
Enter a random, non-registered email address.
Submit the request.
Observe the response message:

  the message states "There is no account with this email address," which means that user enumeration is possible.
 An attacker could exploit this vulnerability to:

Gather a list of valid user email addresses.
Launch targeted phishing attacks.
Use the information to attempt password guessing or brute force attacks

Remediation:
Implement Generic Response: The application should provide the same response message regardless of whether the email address is registered or not. This prevents attackers from differentiating between valid and invalid accounts.

Additional Notes:

i am aware that this bug is not eligible for a bounty but wanted to bring it to the team's attention.

Best Wishes -Basil

Showing tasks 1 - 1 of 1 Page 1 of 1

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task