#31505 closed Cleanup/optimization (fixed)
Document possible email address enumeration in PasswordResetView.
| Reported by: | Mohammad Almazroa | Owned by: | Mariusz Felisiak |
|---|---|---|---|
| Component: | Documentation | Version: | 3.0 |
| Severity: | Normal | Keywords: | User Enumeration Security Bug |
| Cc: | Florian Apolloner | Triage Stage: | Accepted |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Hello :)
Description:
While implementing the password reset functionality using:
from django.contrib.auth.views import PasswordResetView, PasswordResetDoneView, PasswordResetConfirmView, PasswordResetCompleteView
It was noticed that an attacker will be able to enumerate registered users emails by the response time of the application. long response time means the email exists, quick response time means it does not exist.
Impact:
This will allow attacker to collect list of users emails, which can help in further attacks. Knowing list of emails can start "Password spraying" attack.
Remediation:
Set up a random sleep time when the email does not exists. The response time of correct and incorrect email should be the same.
Screenshot:
Notice that the email "mmalmazroa@…" is an email that is assigned to a user registered in the application, and the response time in "Response received" tab.
Thank you for your work <3
Change History (14)
follow-up: 7 comment:1 by , 5 years ago
| Cc: | added |
|---|---|
| Summary: | User Enumeration in PasswordResetView → User Enumeration in PasswordResetView. |
comment:2 by , 5 years ago
| Component: | contrib.auth → Documentation |
|---|---|
| Owner: | changed from to |
| Status: | new → assigned |
comment:3 by , 5 years ago
| Summary: | User Enumeration in PasswordResetView. → Document possible email address enumeration in PasswordResetView. |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
| Type: | Bug → Cleanup/optimization |
| Version: | 3.0 → master |
follow-up: 6 comment:5 by , 5 years ago
Replying to Mohammad Almazroa:
Remediation:
Set up a random sleep time when the email does not exists. The response time of correct and incorrect email should be the same.
This is not a remediation, you can average that out with a few requests…
follow-up: 8 comment:6 by , 5 years ago
Replying to Florian Apolloner:
Replying to Mohammad Almazroa:
Remediation:
Set up a random sleep time when the email does not exists. The response time of correct and incorrect email should be the same.
This is not a remediation, you can average that out with a few requests…
A random sleep time should be within the range that the "PasswordResetView" is taking to send an email. This way it is not clear what response time that means valid or not valid email.
That is just an idea, if you have something better I think we should do it.
comment:7 by , 5 years ago
Replying to felixxm:
First of all, please note that security issues should be privately sent to security@… and never on public issue trackers.
Your analysis is correct, however
PasswordResetViewsends an email which always take an extra time. We don't know how much it takes so adding a fixed delay is impossible and for a random sleep time you'd just need a bit of statistic to figure it out.
I think we could document this potential account existence leak in PasswordResetView.
Really sorry that I reported it publicly here.
follow-up: 9 comment:8 by , 5 years ago
Replying to Mohammad Almazroa:
A random sleep time should be within the range that the "PasswordResetView" is taking to send an email. This way it is not clear what response time that means valid or not valid email.
But you don't know how long sending emails takes, so it will just be a relatively good guess at best which does not help since it can be determined via enough requests…
comment:9 by , 5 years ago
Replying to Florian Apolloner:
Replying to Mohammad Almazroa:
A random sleep time should be within the range that the "PasswordResetView" is taking to send an email. This way it is not clear what response time that means valid or not valid email.
But you don't know how long sending emails takes, so it will just be a relatively good guess at best which does not help since it can be determined via enough requests…
You are totally correct.
And I just saw your comment in github for using "a 3rd party package that allows to send emails asynchronously", I didn't thought of that at all.
Keep up the good work <3
follow-up: 13 comment:12 by , 5 years ago
Question: why not fix PasswordResetView? documenting it is just not enough.
follow-up: 14 comment:13 by , 5 years ago
Replying to Mohammad Almazroa:
Question: why not fix PasswordResetView? documenting it is just not enough.
Well, suggestions on fixes are welcome… Unless we want to change the reset view to enter the username (in which case we'd leak usernames instead), I do not see any obvious way on how to fix this.
comment:14 by , 5 years ago
Replying to Florian Apolloner:
Replying to Mohammad Almazroa:
Question: why not fix PasswordResetView? documenting it is just not enough.
Well, suggestions on fixes are welcome… Unless we want to change the reset view to enter the username (in which case we'd leak usernames instead), I do not see any obvious way on how to fix this.
"you can use a 3rd party package that allows to send emails asynchronously" .. this is your solution and it's valid. why don't you make the reset view sends emails asynchronously?
First of all, please note that security issues should be privately sent to security@… and never on public issue trackers.
Your analysis is correct, however
PasswordResetViewsends an email which always take an extra time. We don't know how much it takes so adding a fixed delay is impossible and for a random sleep time you'd just need a bit of statistic to figure it out.I think we could document this potential account existence leak in PasswordResetView.