Canonical SSO provider

First time registration email does not include the required code

Bug #977618 reported by Kevin Johnson on 2012-04-09

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Canonical SSO provider	New	Undecided	Unassigned

Bug Description

I found this odd as I've come across this issue now in UbuntoOne and now in launchpad. When I installed Ubuntu 11.04 last week I signed up for UbuntuOne. When I registered it stated I would be receiving an email with a 6 AN code included. I got an email as follows:

We've received a request to create a new account with your email address.

If this was you, perhaps you've forgotten your password?

https://login.launchpad.net/+forgot_password

If not, someone may be trying to impersonate you. If you get more requests like this, please let us know.

Regards,

The Launchpad Login Service team

Nowhere inside the email body did I see a code, so went ahead and clicked on the link to reset my password, where it took me to a page to enter my email address and password which I had used to setup the launchpad account. I then received another email that contained the following information:

Hello

You have requested a new password for your Launchpad Login Service account.

Here is your confirmation code:

XXXXXX

Enter this code into the password-reset form, or click the following link to automatically confirm your reset:

https://login.launchpad.net/token/pnNpXp/?email=poettone%40gmail.com

If you don't know what this is about, then someone else has entered your email address at the Launchpad Login Service. Sorry about that. You don't need to do anything further, just delete this message.

Regards,

The Launchpad Login Service team

Being that I was on a new tab in my browser I went back and entered the code that I got in the second email to reset my password into the verification box to setup my new account and it stated my new account was authenticated.

Basically, the first email does not include the 6 digit code as one would assume and the code included in the email to reset my password authenticated my account.. working with similar systems in the past it seems that the message templates for the verification system are incorrect and need looked at. As stated this also happened to me when I went to setup my UbuntuOne account for the first time.

If I can provide addtional details or if you wish me to test anything further, please let me know as I'm currently signing up to be on the bug triage team and hopefully become a part of the Ubuntu community. So this maybe a security risk not only for Launchpad but for Ubuntu in general. If this needs to be placed in the bug community as noted below under Ubuntu, please let me know and I will open it there, or in addition to here.

Thanks Again,
Poettone

See original description

Revision history for this message

William Grant (wgrant) wrote on 2012-04-09:

As the first email says, you already have an account -- you probably want to reset your password instead. The web UI deliberately avoids saying this to prevent attackers from determining whether an account with that email address exists.

affects:

launchpad → canonical-identity-provider

Revision history for this message

Robert Collins (lifeless) wrote on 2012-04-10:

Unprivating - the one time code in the mail was used and theres nothing else here to protect.

security vulnerability:	yes → no
visibility:	private → public
description:	updated

Revision history for this message

Kevin Johnson (poettone) wrote on 2012-04-10: Re: [Bug 977618] Re: First time registration email does not include the required code

Download full text (3.9 KiB)

This is exactly my point, I did not have an account previous to this as
this was my first time going to the launchpad site. This followed me
deciding to join the bug triage team and joining the IRC channel
#ubuntu-bugs where I was instructed to go to launchpad and setup an
account. As stated however the exact same thing happened to me when I went
to setup an account on UbuntuOne after first installing it for the first
time.. There seems to be some issue somewhere in the
registration/validation process.

Thanks for your time.

On Mon, Apr 9, 2012 at 6:53 PM, William Grant <email address hidden> wrote:

> As the first email says, you already have an account -- you probably
> want to reset your password instead. The web UI deliberately avoids
> saying this to prevent attackers from determining whether an account
> with that email address exists.
>
> ** Project changed: launchpad => canonical-identity-provider
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/977618
>
> Title:
> First time registration email does not include the required code
>
> Status in Canonical SSO provider:
> New
>
> Bug description:
> I found this odd as I've come across this issue now in UbuntoOne and
> now in launchpad. When I installed Ubuntu 11.04 last week I signed up
> for UbuntuOne. When I registered it stated I would be receiving an
> email with a 6 AN code included. I got an email as follows:
>
> We've received a request to create a new account with your email
> address.
>
> If this was you, perhaps you've forgotten your password?
>
> https://login.launchpad.net/+forgot_password
>
> If not, someone may be trying to impersonate you. If you get more
> requests like this, please let us know.
>
> Regards,
>
> The Launchpad Login Service team
>
> Nowhere inside the email body did I see a code, so went ahead and
> clicked on the link to reset my password, where it took me to a page
> to enter my email address and password which I had used to setup the
> launchpad account. I then received another email that contained the
> following information:
>
> Hello
>
> You have requested a new password for your Launchpad Login Service
> account.
>
> Here is your confirmation code:
>
> pnNpXp
>
> Enter this code into the password-reset form, or click the following
> link to automatically confirm your reset:
>
> https://login.launchpad.net/token/pnNpXp/?email=poettone%40gmail.com
>
> If you don't know what this is about, then someone else has entered
> your email address at the Launchpad Login Service. Sorry about that.
> You don't need to do anything further, just delete this message.
>
> Regards,
>
> The Launchpad Login Service team
>
>
> Being that I was on a new tab in my browser I went back and entered
> the code that I got in the second email to reset my password into the
> verification box to setup my new account and it stated my new account
> was authenticated.
>
>
> Basically, the first email does not include the 6 digit code as one would
> assume and the code included in the email to reset my password
> authenticated my account.. working with similar systems i...

This is exactly my point, I did not have an account previous to this as
this was  my first time going to the launchpad site. This followed me
deciding to join the bug triage team and joining the IRC channel
#ubuntu-bugs where I was instructed to go to launchpad and setup an
account. As stated however the exact same thing happened to me when I went
to setup an account on UbuntuOne after first installing it for the first
time.. There seems to be some issue somewhere in the
registration/validation process.

Thanks for your time.

On Mon, Apr 9, 2012 at 6:53 PM, William Grant <me@williamgrant.id.au> wrote:

> As the first email says, you already have an account -- you probably
> want to reset your password instead. The web UI deliberately avoids
> saying this to prevent attackers from determining whether an account
> with that email address exists.
>
> ** Project changed: launchpad => canonical-identity-provider
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/977618
>
> Title:
>  First time registration email does not include the required code
>
> Status in Canonical SSO provider:
>  New
>
> Bug description:
>  I found this odd as I've come across this issue now in UbuntoOne and
>  now in launchpad. When I installed Ubuntu 11.04 last week I signed up
>  for UbuntuOne. When I registered it stated I would be receiving an
>  email with a 6 AN code included. I got an email as follows:
>
>  We've received a request to create a new account with your email
>  address.
>
>  If this was you, perhaps you've forgotten your password?
>
>  https://login.launchpad.net/+forgot_password
>
>  If not, someone may be trying to impersonate you. If you get more
>  requests like this, please let us know.
>
>  Regards,
>
>  The Launchpad Login Service team
>
>  Nowhere inside the email body did I see a code, so went ahead and
>  clicked on the link to reset my password, where it took me to a page
>  to enter my email address and password which I had used to setup the
>  launchpad account. I then received another email that contained the
>  following information:
>
>  Hello
>
>  You have requested a new password for your Launchpad Login Service
>  account.
>
>  Here is your confirmation code:
>
>  pnNpXp
>
>  Enter this code into the password-reset form, or click the following
>  link to automatically confirm your reset:
>
>  https://login.launchpad.net/token/pnNpXp/?email=poettone%40gmail.com
>
>  If you don't know what this is about, then someone else has entered
>  your email address at the Launchpad Login Service. Sorry about that.
>  You don't need to do anything further, just delete this message.
>
>  Regards,
>
>  The Launchpad Login Service team
>
>
>  Being that I was on a new tab in my browser I went back and entered
>  the code that I got in the second email to reset my password into the
>  verification box to setup my new account and it stated my new account
>  was authenticated.
>
>
>  Basically, the first email does not include the 6 digit code as one would
> assume and the code included in the email to reset my password
> authenticated my account.. working with similar systems in the past it
> seems that the message templates for the verification system are incorrect
> and need looked at.  As stated this also happened to me when I went to
> setup my UbuntuOne account for the first time.
>
>  If I can provide addtional details or if you wish me to test anything
>  further, please let me know as I'm currently signing up to be on the
>  bug triage team and hopefully become a part of the Ubuntu community.
>  So this maybe a security risk not only for Launchpad but for Ubuntu in
>  general. If this needs to be placed in the bug community as noted
>  below under Ubuntu, please let me know and I will open it there, or in
>  addition to here.
>
>  Thanks Again,
>  Poettone
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/canonical-identity-provider/+bug/977618/+subscriptions
>

Revision history for this message

Joseph Elkhorne (jelkhorn) wrote on 2012-06-15:

Like Kevin, "my first time going to the launchpad site" -- and if I was Winduhs user having a first look at Ubuntu, after the trouble I've had, I'd walk away and never look back.

From a newbie's point of view, an install that crashes is "oh well, stuff happens, I'll give it a fair shot" and let the info gathering for the bug report go, and then OK, I will follow along -- to provide additional information, whatever, only get to the new account page and jump through hoops including the damnable captcha and the never-to-be-seen email "we're sending". That was very late last night, maybe I should have known better. But being stubborn I am pursuing this, because I'm not a newbie, was dual-boot from the time someone gave me a warty disk, got jacked with XP about Feisty time and been only ubuntu on the desktop (here) since.

Yeah, I know it was playing Sisyphus trying to install 11.10 from a linux magazine distro on an EeePC701 (16 GB SD card) but I like a challenge (the little beast was bought with XP on it, no other option here at the time).

I assume the bug report went through -- saw it leaving here as the ADSL flashed but for all I know, it went to a cyber black hole.

The point is, the whole process is a real downer from a newbie's POV.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.