lemmy icon indicating copy to clipboard operation
lemmy copied to clipboard

Published 20 hours ago verified publisher icon LemmyNet

[Bug]: Reset password requests aren't rate limited

Open delendum opened this issue 1 year ago • 0 comments

Requirements

  • [X] Is this a bug report? For questions or discussions use https://lemmy.ml/c/lemmy_support
  • [X] Did you check to see if this issue already exists?
  • [X] Is this only a single bug? Do not put multiple bugs in one issue.
  • [X] Is this a backend issue? Use the lemmy-ui repo for UI / frontend issues.

Summary

It's possible to spam "Reset password" as many time as you like as long as you enter a known e-mail address.

More concerning is that you are also able to do this for newly signed-up users which haven't yet verified their e-mail address or had their application accepted. A bad actor can potentially use this as an attack against an individual instance, or use many instances to flood a particular mailbox.

Please introduce a low rate limit on "Reset" password" requests. NGINX rate limits eventually kick in but this is definitely not enough/desirable.

Steps to Reproduce

  1. Enter a known e-mail address on the Log In screen
  2. Spam "Reset Password"
  3. E-mail gets sent repeatedly to the mailbox in question.

Technical Details

NGINX rate limits eventually kicking in:

2023/06/24 18:48:57 [error] 633#633: *102280 limiting requests, excess: 30.602 by zone "lemdit.com_ratelimit", client: 192.168.30.30, server: lemdit.com, request: "POST /api/v3/user/password_reset HTTP/1.1", host: "lemdit.com", referrer: "https://lemdit.com/login" 2023/06/24 18:49:04 [error] 632#632: *102459 limiting requests, excess: 30.099 by zone "lemdit.com_ratelimit", client: 192.168.30.30, server: lemdit.com, request: "POST /api/v3/user/password_reset HTTP/1.1", host: "lemdit.com", referrer: "https://lemdit.com/login"

Version

BE: 0.18.0

Lemmy Instance URL

https://lemdit.com

delendum avatar Jun 24 '23 07:06 delendum