Forgotten password reminder is not helpful to user who enters one of their email addresses LP doesn't know
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical SSO provider |
Fix Released
|
High
|
Simon Davy |
Bug Description
DIscovered this when helping a user who could not remeber their LP login credentials.
https:/
User enters their email address - turns out not to be the one associated with their LP account, oops.
https:/
Tells them email has been sent to the address provided (which was a valid email address)
No email is ever delivered to the address.
I just tried this myself with an email alias LP doesn't know about, and can confirm that no email was received.
"We’ve just emailed <email address hidden> (from <email address hidden>) with instructions on resetting your password."
No email. Launchpad SHOULD have emailed me to tell me it couldn't find an account assocuiated with the email address I'd given.
Since the email address is owned by me, contacting (or attempting to contact) the user via the email address they provided doesn't leak any information to $evildoer.
The only potential for abuse is somene useing the form to send irritating email to people with no Launchpad account. (Just as they could already do to someone _with_ a Launchpad account.
(Separated out from a comment I made in Bug #700493
Escalated by toykeeper on behalf of Support CoP
affects: | launchpad → canonical-identity-provider |
tags: | added: escalated |
description: | updated |
Changed in canonical-identity-provider: | |
assignee: | nobody → Simon Davy (bloodearnest) |
Changed in canonical-identity-provider: | |
status: | Confirmed → In Progress |
tags: | added: kb-task sp-1 |
tags: |
added: kb-defect removed: kb-task |
Changed in canonical-identity-provider: | |
status: | In Progress → Fix Committed |
milestone: | none → 12.01.05 |
Changed in canonical-identity-provider: | |
status: | Fix Committed → Fix Released |
I suggest the text say something like "If foo@bar is a valid LP user, we've sent an email, but if it isn't, we haven't." It's not clear from that page that "don't send an email" is a perfectly valid response to the request.