Email enumeration via Reset password page in bookwyrm-social/bookwyrm

Valid

Reported on

Jul 6th 2022


Description

Through the Reset password page, an attacker can know that if an email exists or not; just by observing the notification in the response page. So, once the attacker knows that an email exists, he can launch a brute force attack against it.

If an email exists:

The notification will be A password reset link was sent to <email_address> with green color.

If an email does not exist:

The notification will be No user with that email address was found. with red color.

Proof of Concept

1.Go to the Reset password page (https://book.dansmonorage.blue/password-reset)
2.Enter an existed email and click Submit.
3.Observe the success notification.
4.Enter a non-existed email (Ex: test@local.com) and click Submit.
3.Observe the error notification.

Impact

Account enumeration is a potential security risk whereby a web site gives out information about what accounts are already in the system. This may:
a) leave them susceptible to a brute-force attack
b) may violate their users privacy which may be very important for certain types of sites.

We are processing your report and will contact the bookwyrm-social/bookwyrm team within 24 hours. a month ago
We have contacted a member of the bookwyrm-social/bookwyrm team and are waiting to hear back a month ago
Mouse Reeve modified the Severity from Critical to Low a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Mouse Reeve validated this vulnerability a month ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mouse Reeve confirmed that a fix has been merged on 2d2d01 a month ago
The fix bounty has been dropped
password.py#L24-L44 has been validated
Mouse Reeve gave praise a month ago
Thanks for flagging!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation