First time registration email does not include the required code
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical SSO provider |
New
|
Undecided
|
Unassigned |
Bug Description
I found this odd as I've come across this issue now in UbuntoOne and now in launchpad. When I installed Ubuntu 11.04 last week I signed up for UbuntuOne. When I registered it stated I would be receiving an email with a 6 AN code included. I got an email as follows:
We've received a request to create a new account with your email address.
If this was you, perhaps you've forgotten your password?
https:/
If not, someone may be trying to impersonate you. If you get more requests like this, please let us know.
Regards,
The Launchpad Login Service team
Nowhere inside the email body did I see a code, so went ahead and clicked on the link to reset my password, where it took me to a page to enter my email address and password which I had used to setup the launchpad account. I then received another email that contained the following information:
Hello
You have requested a new password for your Launchpad Login Service account.
Here is your confirmation code:
XXXXXX
Enter this code into the password-reset form, or click the following link to automatically confirm your reset:
https:/
If you don't know what this is about, then someone else has entered your email address at the Launchpad Login Service. Sorry about that. You don't need to do anything further, just delete this message.
Regards,
The Launchpad Login Service team
Being that I was on a new tab in my browser I went back and entered the code that I got in the second email to reset my password into the verification box to setup my new account and it stated my new account was authenticated.
Basically, the first email does not include the 6 digit code as one would assume and the code included in the email to reset my password authenticated my account.. working with similar systems in the past it seems that the message templates for the verification system are incorrect and need looked at. As stated this also happened to me when I went to setup my UbuntuOne account for the first time.
If I can provide addtional details or if you wish me to test anything further, please let me know as I'm currently signing up to be on the bug triage team and hopefully become a part of the Ubuntu community. So this maybe a security risk not only for Launchpad but for Ubuntu in general. If this needs to be placed in the bug community as noted below under Ubuntu, please let me know and I will open it there, or in addition to here.
Thanks Again,
Poettone
As the first email says, you already have an account -- you probably want to reset your password instead. The web UI deliberately avoids saying this to prevent attackers from determining whether an account with that email address exists.