id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
31505	Document possible email address enumeration in PasswordResetView.	Mohammad Almazroa	Mariusz Felisiak	"Hello :)

Description:
While implementing the password reset functionality using:

{{{
from django.contrib.auth.views import PasswordResetView, PasswordResetDoneView, PasswordResetConfirmView, PasswordResetCompleteView

}}}
It was noticed that an attacker will be able to enumerate registered users emails by the response time of the application. long response time means the email exists, quick response time means it does not exist.

Impact:
This will allow attacker to collect list of users emails, which can help in further attacks. Knowing list of emails can start ""Password spraying"" attack.

Remediation:
 Set up a random sleep time when the email does not exists. The response time of correct and incorrect email should be the same.

Screenshot:
[[Image(https://i.imgur.com/Sgk3q3T.png)]]

Notice that the email ""mmalmazroa@gmail.com"" is an email that is assigned to a user registered in the application, and the response time in ""Response  received"" tab.

Thank you for your work <3"	Cleanup/optimization	closed	Documentation	3.0	Normal	fixed	User Enumeration Security Bug	Florian Apolloner	Accepted	1	0	0	0	0	0