This isn't strictly a security vulnerability, but there are issues with the password reset mechanism.
1) Can be hammered by bots.
There's no CAPTCHA or *anything* involved here. This has two sets of consequences, potentially... firstly it means users get tons of email when bots start causing trouble and secondly in the worst cases it can see a site be flagged as a spammer.
2) There's no expiry time.
The link generated in the email is valid for an indefinite period. It should only last 24 hours or so, there's not really much reason to leave it valid longer than that.
3.) It tells you whether or not the email exists in the database
And that, I do consider a potential vulnerability to be honest :P
That's also true, yes, it gives you a magic method to validate email addresses, and yes that is a legitimate vulnerability of sorts - however on the other hand, it does cross the 'security vs usability' line, there is a valid argument that giving users better feedback is more usable even if it is less secure.
Yeah that's certainly true. Where do you draw the line? It's absolutely no lie that it might be annoying if you have multiple email addresses and you have no idea which one you registered with. Although... IIRC (it's been a while o0) you can request a password reset using your username which kinda solves that issue.
Just noticed it has been used to scan for accounts to compromise. :(
QuoteIIRC (it's been a while o0) you can request a password reset using your username which kinda solves that issue.
Correct.
QuoteJust noticed it has been used to scan for accounts to compromise.
Yeah, we've noticed much the same thing elsewhere (which is what prompted me to raise it)
Moved to bug reports so it's easier to find. :P
I personally didn't consider them bugs as such but it's all good.