[keycloak-user] Password Reset Email - Security Risk

Vinay vinayatoz at gmail.com
Mon May 28 12:50:26 EDT 2018


Hi,

When using password reset function an email is sent to the user in order to
change the password. There is no limitation in number of password change
requests a user can do and a malicious user could generate a number of
requests and hence as many email to the victim's email inbox. This is a
potential security risk.

Is there a way to stop this ?

-Vinay


More information about the keycloak-user mailing list