The rate-limiting mechanism on 'invalid' email-registration requests locks out users for one hour
Bug #551906 reported by
Chris
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
psiphon |
Fix Committed
|
Undecided
|
Adam P |
Bug Description
Steps to reproduce:
1. Login to Psiphon
2. Go to the 'profile' page
3. Submit an email address that has already been registered (on a different account) with Psiphon
4. Go the inbox of the chosen email address, wait for the validation email, and click the link
5. Psiphon will present an error message
6. Logout from Psiphon, if necessary, then login again as the same user
7. Attempt to register a different email address
8. Psiphon will present an error message
Should rate-limiting only trigger on _successful,_ validated email addresses?
summary: |
- Email-registration: rate-limiting (once-per-hour) on requests that - result in failed validation still lock out users + The rate-limiting mechanism on 'invalid' email-registration requests + locks out users for one hour |
tags: | added: category3 |
To post a comment you must log in.
One of the goals of email verification was to prevent a malicious user from using Psiphon to spam other people (partly so that we're not a nuisance to people, partly so that we don't end up looking like a spammer). If we allow no-rate-limited unsuccessful change attempts, then a malicious user can just keep putting in email address and forcing us to send out rapid-fire emails to whomever he wants.
This is related to another problem that has been discussed that I'll be adding a bug for shortly. (And then I'll add a link to it from here.)
I'm going to mark this as invalid. But if you have further input or I've missed the point, please add comments.