Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#5130 closed defect (wontfix)

Reset password facility leaks email addresses

Reported by: oxplot Owned by: rails-dev@…
Priority: critical Milestone:
Component: website Version:
Keywords: Cc:

Description

When using the Lost Password facility, openstreetmap warns the user if the entered email address doesn't exist in the system. This is a very well known security issue and can allow attackers to cut the time needed to crack their way in by orders of magnitude (see a mention of it under "DON'T" disclose valid usernames section).

The proper way is to show the success message for all inputs. If the user mistyped their email, they won't receive an email and will retry.

Change History (6)

comment:1 Changed 5 years ago by Tom Hughes

Resolution: wontfix
Status: newclosed

I'm perfectly well aware of that advice, but we have chosen not to follow it in this case because, frankly, it makes for utterly terrible usability.

If the only feedback to let you know if you typed the address right, or if your memory of which address you registered with is correct, is an email that might not arrive until some hours later then the whole experience becomes a nightmare for a (possibly not very technical) user.

As the person who gets the emails when people can't help themselves there is no way I am going to do this I'm afraid.

comment:2 Changed 5 years ago by oxplot

Since you mentioned that you have chosen not to follow it, I assume this has never been implemented. So there is actually no data that this change would increase the number of emails you receive. As a solution to a possible increase, you could show a message to ask the user to retry the procedure should they not receive the email promptly.

Now, regarding "terrible usability", I agree with you but it shouldn't mean abandoning security. You (openstreetmap) are responsible for keeping your users' data confidential. Now Apple's Forgot Password feature tells you they've sent the email regardless. I mention Apple because they're known for some of the best UX designs. However, facebook, twitter, instagram, reddit, wikipedia, github and others do what OSM does. But with a difference, they watch the usage very closely and stop brute force attacks by use of reCAPTHCHA for instance (usability anyone?). In contrast, I just ran a script to try 1000 reset requests in under 2 minutes and OSM answered each and every one of them!

It'd be better usability if no one had to enter a password but we do it because nothing else has the security vs usability balance that password provides. But for reset password functionality, there is a choice. OSM, however, is not doing one or the other, but half of one.

comment:3 Changed 5 years ago by Tom Hughes

Those companies also have hundreds or thousands of paid support staff to deal with users who can't manage to reset their passwords. We have me.

comment:4 Changed 5 years ago by Tom Hughes

For the record I can't remember the exact history of this feature but in general everything in our authentication etc has been optimised over time in response to experience of the sort of things that confuse users and lead to them emailing us for help.

comment:5 Changed 5 years ago by Tom Hughes

To summarise the status of this:

  • The reset password page leaks exactly one piece of information - the fact that a given email address is associated with an account. It does not tell you which account or anything else that could not be determined in other ways.
  • I have no problem changing the current system if somebody can provide suggestions for a replacement which will not lead to a major loss of usability - a lot of people using that page are not just trying to reset a password for a known account but are unsure if they even have an account so that needs to be born in mind.
  • I do not believe that captcha's are generally useful - even the biggest players have trouble keeping their captchas able to resist bots and we would stand no chance.

comment:6 in reply to:  3 Changed 5 years ago by oxplot

Replying to TomH:

Those companies also have hundreds or thousands of paid support staff to deal with users who can't manage to reset their passwords. We have me.

And you love your users more than the crowd. Those big companies (e.g. Google) don't actually provide any support for lost accounts. It's just not feasible when you have millions of users (unless they are a paid customer). Heck, they even close people's accounts on suspicion that they're compromised and that's fine.

I have no problem changing the current system if somebody can provide suggestions for a replacement which will not lead to a major loss of usability

Like I mentioned before, implement a rate limiter, like reCAPTCHA but only show it when traffic from an IP goes over a certain threshold. This way, majority of users won't see it (no loss of usability) but if anyone tries to brute force your DB, it gets hard fast. True that reCAPTCHA can be defeated (e.g. human bots), but it's much more difficult and expensive to do compared to a 10 line bash script that I wrote in under a minute.

Now, reading your comments, I just realized that this needs to be done on the sign-up page as well (if not already).

Note: See TracTickets for help on using tickets.