Auth0 Change Password Unexpected behaviour

muhammadqazi · July 10, 2023, 12:48pm

Hey Auth0 Community,

I came across a potential bug in the password reset feature of Auth0 that I believe needs attention. When I entered an incorrect email address, the system still returns a success message, stating “We’ve just sent you an email to reset your password.%”. This behavior seems incorrect as it should ideally show an error message indicating that the email does not exist in the system. This issue raises concerns regarding the security and reliability of the password reset functionality, potentially allowing unauthorized access attempts by verifying the existence of email addresses.

I am using this api
curl --request POST
–url ‘**/dbconnections/change_password’
–header ‘content-type: application/json’
–data ‘{“client_id”: “*******”,“email”: “some email”,“connection”: “Username-Password-Authentication”}’

markd · July 10, 2023, 1:41pm

I believe this is intentional. The point is to not leak information re: what email addresses are registered and which are not. I’m not convinced it provides a meaningful security benefit—you can just use the registration page to fish for registered email addresses—but the current behaviour is intentional.

muhammadqazi · July 10, 2023, 1:49pm

but even on the correct emails, I can’t get the reset email.

Topic		Replies	Views
Can't reset password Help	2	1495	February 2, 2023
Users not receiving email to reset password Help login-experience , reset-password-prompt-new-experience	2	1380	May 2, 2023
Password reset exposes account exists Help password-reset	3	3612	July 25, 2019
Why does the Change Password API always return a "valid" result? Help password-reset , validate , validation	4	6513	March 2, 2018
Auth0 password and/or email silently changed Help login	6	4211	October 24, 2018

Auth0 Change Password Unexpected behaviour

Related Topics