Not a bug GDPR violation: "Reset password" function leaks (registered) email addresses!

[Sushimaster]

Affected version

2.1.7

Hi there,

when you use the "reset password" function with an invalid (== non registered) email address, you get an "Oops, an error occured" popup.
When entered a valid (registered) mail address, it says "Alright, will send you the reset link" alike message.

‼ This behaviour breaks GDPR rules because you can determine if a specific mail address is registered! ‼

Solution:
Whether registered or not, the reset password function should always return the very same page with a text like
"If you're email is registered, you'll receive a password reset link within the next minutes..." or something like this!

Only this is a GDPR compliant password reset function!

 

[djbaxter]

How does that break GDPR rules or any other privacy legislation rules?

When members register, they need a valid email address. They know that. Your Privacy statement should outline what data is in the database.

So now a member want to reset his/her password and enters the email address and then gets a confirmation that they should expect an email.

That's not a privacy violation. It's helpful information to members who may have 2 or more email addresses and aren't sure which one they used to register. Almost every site I have ever visited, Xenforo or on any other platform including large corporations, provides that if I enter the wrong email address.

Any member who objects to that can submit a GDPR request to have his/her information expunged from the database. Problem solved.

 

[Sushimaster]

When members register, they need a valid email address. They know that. Your Privacy statement should outline what data is in the database.
So now a member want to reset his/her password and enters the email address and then gets a confirmation that they should expect an email.

Thats right so far, and that's not the problem. Did you read the text carefully?

The main problem is, that GDPR "requires" that the board does not give personal information (like email addresses!) of any user "to the wild".

However, in Xenforo it's possible to check if e.g. bill.gates@microsoft.com is registered (or not), because you get different return codes ("You get a mail", "Oops, no record found").

And exactly THIS behaviour breaks GDPR rules!

This is not a discussion about laws, it's a simple fact, ask a lawyer.

Furthermore, changing that behaviour in XF is no big deal for the core devs, just remove "error code" popup and always show the the success popup.

Almost every site I have ever visited, Xenforo or on any other platform including large corporations, provides that if I enter the wrong email address.

First, it's not true, because the laws are pretty clear in that and especially large companies are changing these functions.
And if someone (private or a company) doesn't obey the laws, it doesn't make it legal then.

 

[Slavik]

Im failing to see the "leaked" email here, in order to perform a reset they would already need to know the email anyway.

 

[djbaxter]

Thats right so far, and that's not the problem. Did you read the text carefully?

Yes. Did you?

The main problem is, that GDPR "requires" that the board does not give personal information (like email addresses!) of any user "to the wild".

However, in Xenforo it's possible to check if e.g. bill.gates@microsoft.com is registered (or not), because you get different return codes ("You get a mail", "Oops, no record found").

And exactly THIS behaviour breaks GDPR rules!

So people can find out that Bill Gates is NOT registered. Does that violate his privacy?

This is not a discussion about laws, it's a simple fact, ask a lawyer.

Have YOU done that? I doubt it. And the agency to ask would be the GDPR, not a random lawyer.

Furthermore, changing that behaviour in XF is no big deal for the core devs, just remove "error code" popup and always show the the success popup.

Did you read MY text carefully?

I made the point that the current way works well and is helpful for registered member and is not a privacy violation. I prefer it that way.

If you object, you can always edit those phrases, you know.

First, it's not true, because the laws are pretty clear in that and especially large companies are changing these functions.
And if someone (private or a company) doesn't obey the laws, it doesn't make it legal then.

I think you're wrong. And you saying it's illegal doesn't make it illegal.

 

[Kirby]

Im failing to see the "leaked" email here, in order to perform a reset they would already need to know the email anyway.

Erm ... no. This function could be used to probe the database for registered members by checking (generated) E-Mail addresses.
And this might indeed be a privacy issue.

However, I don't think that there is a waterproof and user friendly way to fully prevent this kind of probing.

While it would definitly be possible to just show "If we have an account for this user, an email has been sent", this isn't really helpful - the user might have mistyped the E-Mail and thus is waiting for an email that will never arrive.

Account registration is much more difficult.
If you enter an existing E-Mail address you will get "Email addresses must be unique. The specified email address is already in use."

How should this be changed?
"An error occured while trying to process the registration but we are legally not allowed to give you information what went wrong. Please correct the error and try again".

That is not helpful at all and still indirectly leaks the info that an account with the email address is already registered.

And the agency to ask would be the GDPR, not a random lawyer.

A "GPDR Agency" does not exist

 

[Tom]

So people can find out that Bill Gates is NOT registered. Does that violate his privacy?

I may have interpreted what you mean here wrongly, but just to clarify what he's suggesting is that you wouldn't possibly be able to determine whether or not the email address is registered - an error isn't shown if the email isn't registered, so without access to the email there's no possible way of knowing.

If you object, you can always edit those phrases, you know.

This wouldn't resolve the issue. You can still determine if the email address is registered or not by whether or not an error is shown, or the submission is accepted.

Honestly I don't see it as being a major issue either but your points are mostly invalid. If you wanted to get an official stance on this you'd have to contact the ICO.

 

[🔥Iggy🔥]

cant you just edit the phrase? seems like should be a simple enough fix if its really bugging anyone...

 

[Russ]

With this mindset... you'd need to change the registration process too, attempt to register using: bill.gates@microsoft.com only to be told it's taken, "privacy broken"

Twitter and every other major site "violating" this as well

 

[Slavik]

Erm ... no. This function could be used to probe the database for registered members by checking (generated) E-Mail addresses.

I'm still failing to see the GDPR impact here.

This is another one of those situations where people are mis-interpreting the rules.

 

[Paul B]

Fixed.

 

[djbaxter]

A "GPDR Agency" does not exist

GDPR compliance commissions or offices do in any country affected by the GDPR. I have corresponded with them in the past.

 

[nocte]

I see the point, but - as stated by @Kirby - not "leaking" registered email addresses within the registration process is nearly impossible.

Another important fact: There may be an account with email address bill.gates@microsoft.com on my forum. But this does not mean, that Bill Gates himself has registered it, because you will not know the username or wether the account has been activated or not.

 

[RobParker]

The email address is personally identifiable information but that's not the information being disclosed here (as it's known in advance). The information being disclosed is the status of having an account on that site. That doesn't fall under PII does it?

 

[JoyFreak]

I was here 2k20.

 

[webbouk]

If anyone is that worried about it they could use a non-identifiable email address such as 112ekwdj@gmail.com

For the record, bill.gates@microsoft.com isn't a member on here - I've just checked

 

[djbaxter]

He probably used a throwaway email to register. But I know he's here somewhere, chuckling at threads like this one.

 

[Universal4]

The email address is personally identifiable information but that's not the information being disclosed here (as it's known in advance). The information being disclosed is the status of having an account on that site. That doesn't fall under PII does it?

I have to agree that I do not see this as a GDPR violation, and as Rob pointed out even though email addresses are personally identifiable information, they are not being disclosed or leaked if they are previously unknown.

 

[AndrewSimm]

The solution is simple; allow users to post without registering.

 

[JamesBrown]

GDPR, wasn't that like that Millenium bug thing, our very existence threatened, but it came and went; the world carried on regardless.