Rocket.chat: Password reset confirmed also at non-existing e-mail address
When asking for a password reset, a notification pops up, that an e-mail has been sent with further instructions, even with non-existing e-mail addresses. We would expect saying that there is no user associated to that e-mail address.
Furthermore, if you repeat this, the "Password reset" button is duplicated (see screenshot):
Rocket.Chat Version: 0.52
rasos
All 7 comments
@rasos this could possibly be a "security feature". Because you can get the information is someone is registred with this email adress.. if it says at all requests "positive" you dont have this problem.
TheReal1604
on 3 Mar 2017
For the reasons stated by @TheReal1604 we will always do a false positive, but the button error needs to be fixed @karlprieb
engelgabriel
on 5 Mar 2017
Maybe we should make it more clear.. adding a "If this email is registered, we'll send instructions on how to reset your password"
engelgabriel
on 5 Mar 2017
@rasos , I am unable to reproduce the bug. I'm on 0.53-develop. When I click on reset password, it takes me to the login page. when I again click forgot password, I don't see any duplicated button.
va6996
on 6 Mar 2017
@va6996 the duplicated button is definitely reproducable on 0.52, I have the same issue on a test server as well as on production, both repeatedly updated since 0.36 or so. Will check again after our next upgrade cycle.
rasos
on 7 Mar 2017
Weird login button behaviour is duplicate of #6255 - see screencast https://vid.me/qUoP
rasos
on 7 Mar 2017
The button error was fixed on 0.56 (#6741) and the behaviour reported is so by design, so I'll be closing this issue.
Hudell
on 6 Jun 2018
Related issues
royalaid
路
3Comments
djeber
路
3Comments
karlprieb
路
3Comments
amayer5125
路
3Comments
neha1deshmukh
路
3Comments
Most helpful comment
@rasos this could possibly be a "security feature". Because you can get the information is someone is registred with this email adress.. if it says at all requests "positive" you dont have this problem.