Brute force account discovery

Bug #1564758 reported by Thibaud Lopez Schneider on 2016-04-01
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Canonical SSO provider
Maximiliano Bertacchini

Bug Description


The following Launchpad pages are subject to brute force account discovery:

* login page,
* password recovery page,
* registration,

They will tell if an email address is already registered or not without throttling, limit, or CAPTCHA. There should be.

Thank you,


Related branches

affects: ubuntu-website → launchpad
information type: Private Security → Public
William Grant (wgrant) on 2016-04-01
affects: launchpad → canonical-identity-provider
Daniel Manrique (roadmr) on 2018-06-07
Changed in canonical-identity-provider:
status: New → Confirmed
Changed in canonical-identity-provider:
assignee: nobody → Maximiliano Bertacchini (maxiberta)
summary: - Launchpad brute force account discovery
+ Brute force account discovery
Changed in canonical-identity-provider:
importance: Undecided → Low
status: Confirmed → In Progress

Next rollout includes the following improvements:

- Significantly tighten the registration view throttling limit.
- Fix registration and forgot password views to show a nice "rate limit exceeded" error message.
- Show "Check your email" page on password forget view for non-registered emails, the same as with registered emails.

Changed in canonical-identity-provider:
status: In Progress → Fix Committed
Changed in canonical-identity-provider:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Bug attachments