Security: repeat submit, timing attacks

(Alex) #1

This is what happend when I submit the forgot password form multiple times. I could do this just by pressing and holding the return-key on keyboard… (ignore account locked message)

This also opens up the possibilities for timing attacks:
It shows very clear pattern in response time between account match and non account match.
All the responses below 200ms where non-existing email addresses. everything above was a match (my email)

(my cat walked over my keyboard and that led to the discovery :wink: )

(FCC) #2

We have rate limited the endpoints. Thanks.

(FCC) closed #3