You would think a "Forgot Email" feature would be simple to implement, a feature to send an email to an account by providing the username

And it can be, but a feature like this has several vectors that are ripe for abuse

Some examples:
- Credential stuffing
- Targeted account takeovers
- Email quota overage
- Account state exfiltration

Our mitigations:
- IP address rate limits (10/1440 mins)
- Once per account for 24h
- Email quota (no overages)
- Random timing delays
- General error messages

4
Share
Share on Mastodon
Share on Twitter
Share on Facebook
Share on Linkedin
Jippi

@dansup I have also seen success with asking users to go to their inbox and search for the mail domain to find it - assuming the pixelfed welcome/confirm mail content includes the username :)

"""
"Forgot your email?
No worries! You can search your inbox for "from:pixelfed.dk" and check your welcome mail - otherwise, put your username in the form below, and we will send you an email"
"""

1
10mo
Geoff-by-Sea

@dansup Credential stuffing sounds painful

0
10mo
Francis 🚀 Gulotta

@dansup the rabbit hole goes deep

0
10mo
Alex Brown

@dansup once per 24h would definitely fail for me for reasons relating to the way embedded browsers in email clients frequently lose state and password managers are not 100% reliable.

I almost always end up requesting 2-3 resets in a row.

0
10mo
Replies