blurts-server
blurts-server copied to clipboard
mozilla
Include links to password change forms on the site when passwords were breached
To make the breach notifications for logins much more actionable it would be great to include a direct link to the sites password change form. The link to this URL can be shown on the website and in about:logins to provide an easier path to changing the password on the site.
To do this, we will want to include the change-password urls in the Remote Settings collection.
To find the change-password urls we could:
- Look for the (probably tiny number of) breached sites that support the
.well-known/change-passwordurl. - Maintain our own list of the breached sites' change password urls.
I can write a quick and dirty scraper to loop through all the breaches and see if they have a ${breach.Domain}/.well-known/change-password endpoint that doesn't 404, but considering it doesn't even look like mozilla.org, adobe.com, linkedin.com, microsoft.com, or myspace.com have the endpoints defined, i don't have high hopes.
Interestingly, it looks like both facebook.com and twitter.com do an HTTP 301/302 redirect to their respective login pages, which is cool.
My guess is that we'd have to maintain our own list of password change URLs (which feels a bit sketchy).
https://fx-breach-alerts.herokuapp.com/hibp/breaches says we have 370 known breaches (but only 352 have a Domain). Who wants to put bets on how many will have a /.well-known/change-password endpoint?
Can I bid 1 to be closest without going over? (Except it's probably actually 0)
Can I bid 1 to be closest without going over? (Except it's probably actually 0)
My guess was that I could definitely count the results on one hand, but looks like you were correct, 1 result:
http://armyforceonline.com/.well-known/change-password
After pasting the results, I'm realizing my code isn't very good, and probably should have treated a non-redirect as an error instead of saying "same" 32 times (which would have brought the number of potential "successes" down to 22, with ~96% being false positives). 🤷♀
check-well-known-change-password.js
const axios = require("axios");
const slug = "/.well-known/change-password";
async function main() {
const res = await axios.get("https://fx-breach-alerts.herokuapp.com/hibp/breaches");
const breaches = res.data.filter(breach => breach.Domain);
console.log(breaches.length);
const successes = [];
const errors = [];
for (const breach of breaches) {
try {
const success = await checkWellKnownChangePassword(breach);
successes.push(success);
console.log(`${success.status} | ${success.changePasswordUrl} | ${success.changePasswordUrl === success.currentUrl || success.currentUrl.endsWith(slug) ? "(same)" : success.currentUrl}`);
} catch (err) {
errors.push(err);
}
}
console.log("successes:", successes.length);
console.log("errors:", errors.length);
}
async function checkWellKnownChangePassword(breach) {
if (!breach.Domain) {
const err = new Error(`No domain for ${breach.Name}`);
err.breach = breach;
throw err;
}
const changePasswordUrl = new URL(slug, `http://${breach.Domain}`).href;
try {
const res = await axios.get(changePasswordUrl, {timeout: 2500});
res.breach = breach;
res.changePasswordUrl = changePasswordUrl;
res.currentUrl = res.request._redirectable._currentUrl;
return res;
} catch (err) {
err.breach = breach;
err.changePasswordUrl = changePasswordUrl;
throw err;
}
}
main();
STATUS SOURCE URL FINAL URL NOTES 200 http://8tracks.com/.well-known/change-password https://8tracks.com/404 Redirects to 404 page (with a 200 status code?!) 200 http://ahashare.com/.well-known/change-password (same) 200 http://appartoo.com/.well-known/change-password (same) 200 http://armyforceonline.com/.well-known/change-password http://armyforceonline.com/login/auth SUCCESS 200 http://bell.ca/.well-known/change-password (same) 200 http://bell.ca/.well-known/change-password (same) 200 http://cannabis.com/.well-known/change-password https://weedmaps.com/ Redirects to new domain. 200 http://cashcrate.com/.well-known/change-password https://www.cashcrate.com/ Redirects to homepage (and upgrades to HTTPS) 200 http://cheapassgamer.com/.well-known/change-password (same) 200 http://clixsense.com/.well-known/change-password (same) 200 http://demonforums.net/.well-known/change-password (same) 200 http://dlh.net/.well-known/change-password https://www.dlh.net/de/index.html Redirects to homepage. 200 http://duowan.com/.well-known/change-password http://www.duowan.com/s/404/404.html?from=configcommon Redirects to 404 page (with a 200 status code) 200 http://edmodo.com/.well-known/change-password (same) 200 http://eroticy.com/.well-known/change-password (same) 200 http://freshmenu.com/.well-known/change-password (same) 200 http://gaadi.com/.well-known/change-password (same) 200 http://gpotato.com/.well-known/change-password http://www.webzen.com/ Redirects to new domain. 200 http://hounddawgs.org/.well-known/change-password http://hounddawgs.org/cgi-sys/suspendedpage.cgi 404 page. 200 http://houzz.com/.well-known/change-password (same) 200 http://intelimost.com/.well-known/change-password (same) 200 http://ipmart-forum.com/.well-known/change-password (same) 200 http://jobstreet.com/.well-known/change-password (same) 200 http://justdate.com/.well-known/change-password (same) 200 http://lanwar.com/.well-known/change-password (same) 200 http://majorgeeks.com/.well-known/change-password https://www.majorgeeks.com/ Redirects to homepage. 200 http://mangatraders.com/.well-known/change-password http://ww1.mangatraders.com/ Redirects to homepage. 200 http://mangafox.me/.well-known/change-password (same) 200 http://mcbans.com/.well-known/change-password (same) 200 http://myheritage.com/.well-known/change-password https://www.myheritage.com/FP/page-not-found.php Redirects to 404 page. 200 http://nihonomaru.net/.well-known/change-password (same) 200 http://nonnudegirls.org/.well-known/change-password (same) 200 http://opencsgo.com/.well-known/change-password (same) 200 http://ps3hax.net/.well-known/change-password (same) 200 http://qnb.com/.well-known/change-password (same) 200 http://quantumbooter.net/.well-known/change-password (same) 200 http://r2games.com/.well-known/change-password (same) 200 http://r2games.com/.well-known/change-password (same) 200 http://teracod.org/.well-known/change-password http://ww7.teracod.org/ Redirects to homepage. 200 http://tgbus.com/.well-known/change-password http://www.tgbus.com/404/ Redirects to 404 page. 200 http://thishabboforum.com/.well-known/change-password (same) 200 http://tianya.cn/.well-known/change-password http://www.tianya.cn/ Redirects to homepage. 200 http://uiggy.com/.well-known/change-password https://www.uiggy.com/Home/Error Redirects to 404 page. 200 http://intgovforum.org/.well-known/change-password http://www.intgovforum.org/multilingual/ Redirects to homepage. 200 http://uuu9.com/.well-known/change-password http://www.uuu9.com/ Redirects to homepage. 200 http://verified.cm/.well-known/change-password http://ww12.verified.cm/ Redirects to homepage. 200 http://viewfines.co.za/.well-known/change-password (same) 200 http://warmane.com/.well-known/change-password https://www.warmane.com/notfound Redirects to 404 page. 200 http://wiiuiso.com/.well-known/change-password (same) 200 http://wildstar-online.com/.well-known/change-password https://us.ncsoft.com:443/ Redirects to new domain. 200 http://wptapl.com/.well-known/change-password https://www.worldpokertour.com/ Redirects to new domain. 200 http://youku.com/.well-known/change-password (same) 200 http://zhenai.com/.well-known/change-password https://www.zhenai.com/ Redirects to homepage. 200 http://sprashivai.ru/.well-known/change-password http://sprashivai.ru/ Redirects to homepage. successes: 54 errors: 298
Apple has now made an open-source repo to provide overrides for sites that don't implement /.well-known/change-password: https://github.com/apple/password-manager-resources/blob/master/quirks/change-password-URLs.json
Closing since we've redesigned the site and functionality since this was created. If you feel that this is still needed, please let me know.
