Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A failed login should not broadcast details of the attempt #305

Open
JamesGardiner opened this issue Apr 12, 2018 · 1 comment
Open

A failed login should not broadcast details of the attempt #305

JamesGardiner opened this issue Apr 12, 2018 · 1 comment

Comments

@JamesGardiner
Copy link
Contributor

JamesGardiner commented Apr 12, 2018
edited
Loading

This service currently logs whether a username is registered or not when a failed login attempt is made. This is poor practice from a security perspective.

ras-frontstage/frontstage/views/passwords/forgot_password.py

Line 54 in d030e88

template_data = {"error": {"type": {"Email address is not registered"}}}

If there is an API failure (we couldn't talk to the service to find out if the email is registered) -> display an error page

Not registered -> display the 'we sent an email to that user with details' page

Registered -> display the 'we sent an email to that user with details' page

At no point should either the password or username/email address form data be logged (because some user will undoubtedly put their password in the username field that will then end up in our log files as plaintext).
@jcox-dev
Copy link
Contributor

I think this has been fixed now?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JamesGardiner @jcox-dev