Fixed Restrict password request rate for registered users who currently have no password set.

[enivid]

Affected version

2.2.2

Currently (XF2.2.2), when a user doesn't have a password set for their account and requests a password via the "Password and security" page, they can send any number of requests without any restrictions. Of course, they can only flood their own email account in such a way, but this also unnecessarily stresses the forum's email server. An option is required to restrict the rate at which registered users can request a password emailed to them in such a way.

Thanks!

 

[pegasus]

they can only flood their own email account in such a way

Not necessarily. A malicious user can theoretically request a password for the victim, as long as they know the victim's email address, even though they don't control the victim's email account. In doing so repeatedly, the victim's inbox can be flooded with 100s or 1000s of unwanted password-reset mails. Meanwhile the forum now gets blamed for spamming victim, rather than the attacker receiving blame. This is similar to a mail server acting as an open relay.

Password resets should be both throttled (x seconds between requests), and rate limited (maximum x requests per x minutes), probably by both originating IP and per account. This would not stop a victim who actually wants to reset their password at the same time their account is being targeted in this way, since the victim actually received the emails that were rate limited.

 

[enivid]

A malicious user can theoretically request a password for the victim, as long as they know the victim's email address, even though they don't control the victim's email account.

This scenario is currently impossible because:
1. When requesting a password reset while not being logged in, a captcha is used.
2. When requesting a password while being logged in, the password will only be sent to a confirmed email address.

 

[pegasus]

It is not impossible. Think about what happens if the address is already confirmed. Take your account on this site, for example; I assume it is confirmed. If I know your email address, I can go to xf.com/login, click Forgot Password, and type your email address. You will get the reset email, even though I filled it out. I can keep filling it out, and you will keep getting emails and not understand why. Just because there is a captcha, does not stop me as a human, and there are known bot softwares out there (I won't name them here but I had to ban some users on my XF site who were using them) that can bypass most of the captcha settings in XenForo.

 

[enivid]

@pegasus That's not an issue at all. With captcha, the rate of email requests will be very low.

 

[pegasus]

There are bots for sale online which can solve captchas with high success rate in a fraction of the time. Depending on the captcha you choose in XenForo's options, these bots are slower or faster. Although I wish it were so, unfortunately a captcha is not a rate limiter.

Setting that aside, even if I had to solve the captcha manually. Me being a lowly human. I can usually solve recaptcha v2 in about 2 seconds, but let's say I sometimes take 10 seconds because I received the recaptcha challenge. Now imagine me sending you that password reset email every 3-11 seconds (extra second added for load times) for 6 hours, and I bother doing this because I work for a troll farm. You will receive over 1900-7200 emails. You say the "rate of email requests will be very low", so even take the 1900 number. Would you be okay receiving that many? Can you guarantee that all of your forum members would be okay with that?

 

[enivid]

That'd be 6 hours of work wasted to get a user to do a one click to select the email thread and one click to delete it.

Besides, you will start getting a challenge on every recaptcha after a certain number of requests during a period of time.

This isn't comparable to when there is no rate limit at all. Even a 1 second delay due to the captcha would make the problem reported in the original post here a non-issue.

 

[XF Bug Bot]

Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.4).

Change log:

When an account that does not have a password set is requesting a new password, ensure some amount of rate limiting is imposed to avoid repeat requests.

There may be a delay before changes are rolled out to the XenForo Community.