Password reset error messages allow user enumeration #2237
Comments
|
This is something that has been brought up in the past and determined that the UX is worth it for the possible enumeration. If additional folks think this ought to be changed, I am willing to change it. |
|
I don't think there need to be trade-offs for UX vs. security. Error messages can be made more generic to prevent user enumeration while also providing a good user experience. A similar discrepancy in error messages occurs on login: when an organization requires SSO, attempting to log in with a password results in the following error for |
|
The tradeoff is this: Downside - User enumeration is possible. For folks who are especially concerned about this, a mitigation is to only expose the admin interface behind a VPN. This is actually a very common deployment strategy for Fleet. Fleet does not phone home or provide any analytics that would help to understand how this plays out in real world deployments. I remain open to changing the functionality if we can get more engagement on this issue and the community seems well aligned. |
Could error messages can be more generic for password reset?
This is not a critical/high request, but should be taken into consideration.
I found the errors after resetting password are not generic and someone could enumerate user accounts.
Reset password SSO
An invalid user account returns this msg
fleet/server/datastore/mysql/errors.go
Line 23 in 0683269
A valid user account will return this msg
fleet/server/service/service_users.go
Line 243 in 45f6a74
It could be something like
"If you have an account, a password reset email will be sent" Or something more generic.
thanks!
The text was updated successfully, but these errors were encountered: