News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

"Forgot your password?" includes IP address of requester

Started by m4z, October 19, 2019, 01:45:10 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

m4z

October 19, 2019, 01:45:10 PM
I'm using 2.1 (commit 50dc25705dfdf56bada445704f6295163fa670e8 from 2019-10-10).

When somebody clicks the "Forgot your password?" link on the login page and inputs a valid username or mail address, the resulting e-mail contains the IP address of the requesting person.

To me, it's already bad enough that my HTTPS-only forum just sent the user his/her/* own IP address in unencrypted mail, because they have no use for it.
What's worse, if it wasn't them and somebody knew or guessed their IP or username, my forum just violated the GDPR by transmitting a PII (the IP of the "attacker") to a third party (the user being targeted), which again, a normal user doesn't even know what to do with. :-X

I see the need to log the IP for the Admins, in case of abuse. But why send it to the user? To encourage hacking back? :P
"Faith is what you have in things that don't exist."
--Homer Simpson

Es gibt hier im Forum ein deutsches Support-Board!

Arantor

#1
October 19, 2019, 02:03:08 PM
Actually, they can have a use for it. Consider a flood of repeated requests to your email all from different IP addresses - it could indicate someone is trying to break into your account. Or lots of someones.

And there is a clause in the GDPR for that data being sent for legitimate security purposes.

m4z

#2
October 19, 2019, 03:27:43 PM
But when clicking that link, the user isn't logged in, so as the forum owner I guess I don't have consent and hence don't even have permission to save and process it according to GDPR, no? (And yes, I know about the technical impossibilities of such laws that ignore how tech works.)
"Faith is what you have in things that don't exist."
--Homer Simpson

Es gibt hier im Forum ein deutsches Support-Board!

Arantor

#3
October 19, 2019, 03:39:01 PM
It's complicated but I think it would be OK under the provisions for collection of PII necessary for the protection of security of the system. (i.e. giving the user the IP address used to request a forgot password, that they can verify against their own IP address)

* Disclaimer: I am not a lawyer and this should not be construed as legal advice, merely opinion.

shawnb61

#4
October 24, 2019, 06:15:05 PM
m4z -

I'm with Arantor on this one, I think it is helpful to send that information.  Note that in the event of a fraudulent attempt, this is the ip of the bad guy's computer.  It can't be used to reveal someone else's info - only your own. 

A savvy user could use that to confirm/deny it was from their location.  I see it as helpful. 

NOTE that if you really are concerned about it, you can edit the text for your forum in EmailTemplates.<language>.php.   It's under your control. 

Shawn
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

m4z

#5
October 25, 2019, 12:40:40 AM
Thanks. I'm not convinced, but I'll mark this solved for now and read up on the details.
"Faith is what you have in things that don't exist."
--Homer Simpson

Es gibt hier im Forum ein deutsches Support-Board!
Print
Go Up Pages1
User actions
Advertisement: