Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Entering a username leaks the associated email address #2882

Closed
ewmy opened this issue Feb 10, 2016 · 1 comment
Closed

Entering a username leaks the associated email address #2882

ewmy opened this issue Feb 10, 2016 · 1 comment

Comments

@ewmy
Copy link

ewmy commented Feb 10, 2016

On the "Forgot Password" page (i.e. https://www.nuget.org/account/ForgotPassword) you can enter a username rather as well as an email address.

If you do enter a username then the next page (i.e. https://www.nuget.org/account/PasswordSent) contains the user's email address in the following message:

We've sent an email to <EMAIL> containing a temporary url that will allow you to reset your NuGet.org account password for the next 24 hours.

Please check your spam folder if you don't receive the email within a few minutes.

This feels like a leak of information which a user wouldn't expect to be public.

The fix may be to stop password resets through a username, or it may be to remove the email address from the final message.
maartenba added a commit that referenced this issue Feb 10, 2016
@maartenba
Entering a username leaks the associated email address #2882
3c449ef
@maartenba
Copy link
Contributor

That's a great find! We'll be deploying an update to this ASAP.

@maartenba maartenba mentioned this issue Feb 10, 2016
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@maartenba @ewmy