This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
warn users if someone tries to re-register their email address #2807
Comments
|
I don't think it's useful to send an email telling a user someone tried registering using their email address. There's generally no specific action they can take in response to that, and it opens up a way for someone to spam a user with these emails and/or rack up charges if that instance uses an email-sending service that bills based on email volume. |
Well, I think this would depend on the message e.g. we could suggest to enable 2FA if they haven't or to inform the administrator if it wasn't them.
Okay, but if I want to spam someone can I not use vaultwarden/src/api/core/accounts.rs Lines 549 to 554 in 382e610 |
I think recommending 2FA is mostly orthogonal to failed registration. That would make more sense in response to an incorrect password attempt, though I wouldn't support a notification for that either. I feel strongly that this email notification would just be an annoyance to the user, much as getting an email for every incorrect password attempt would be. Asking the user to inform the admin just additionally creates an annoyance to the admin, as there isn't much they can do either. It would be better to have a per-user security event log that could display such events, and I believe people have opened feature requests with Bitwarden related to this, but they haven't gotten around to implementing it yet. You had mentioned rate limiting registrations previously. There is a rate limiting mechanism already built into Vaultwarden, but it's only used for login attempts currently. I agree it could be reasonable to apply a rate limit for registrations too, though perhaps with its own configurable limit.
That's true enough, but that aspect of it isn't my primary concern. Arguably, there could be an option to disable |
|
I agree with @jjlin that warning them isn't something I would support either. |
BlackDex
added
enhancement
|
I don't see how that would annoy people as I think it is very unlikely to ever occur (and for users that try to register they might find it useful to get reminded of their account) and I think the issues you have raised could be addressed by making this feature optional but like I said in the first place this highly impractical for an attacker and I don't think this a likely attack vector either and the time and effort needed to implement this change is probably not worth it. 🤷 Do you think we should maybe add the random-delay from the password-hint vaultwarden/src/api/core/accounts.rs Lines 633 to 642 in 382e610 |
|
If someone can't register, they should just contact the admin or the one who invited them. They needs to check what is going on. Adding a random sleep to both of them isn't going to help either and will only make the process slower. |
As mentioned in the comments, the sleep is to mitigate the timing side channel, not to simulate a rate limit. |
I know, but if a rate-limit would help also. Depending on how strict it is set. But it doesn't hurt keeping it there. |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
When signup is enabled it's possible to check if a user already exists for an attacker by registration which (while not practical) makes it in principle possible to enumerate users that way.
I've already made a pull request #2799 which improves the situation a bit insofar that it would get rid of the more explicit
"User already exists"error message but the security could be further improved by maybe rate-limiting the registration as well as simply sending the user a mail if someone tries to re-register their email address.So my idea would be to change the currently redundant check
vaultwarden/src/api/core/accounts.rs
Lines 103 to 109 in 382e610
The text was updated successfully, but these errors were encountered: