Not sure if I’m following but we have 2 scenarios:
1. An attacker ask to reset: john(a)doe.com which exists into the database. Into this case
my solo idea is:
HTTP Response: “An e-mail with the reset instructions was sent”
That example returns the URL, because I’m not taking into consideration e-mail validation
and etc
2. An attacker ask to reset: meggie(a)doe.com which doesn’t exist into the database. Into
this scenario, same thing:
HTTP Response: “An e-mail with the reset instructions was sent”
It might sound silly at first glance, but the idea is to not give any clue if some data
exists or not into the database. Is that your idea?
That example returns the URL, because I’m not taking into consideration e-mail validation
and etc.
On December 5, 2013 at 10:42:34 AM, Apostolos Emmanouilidis (aemmanou(a)redhat.com) wrote:
Just wanted to add that the /rest/forgot endpoint response must
return the same answer regardless of whether the given e-mail is successfully validated
against the database or not. The client should not be able to find out if an e-mail
address exists in our DB.
--
abstractj