Merge pull request #80 from ossf/hide_email_create_or_reset

david-a-wheeler · web-flow · commit 8e4ff8e3a023 · 2022-08-14T22:50:02.000-04:00
Add examples for create account and password reset
diff --git a/secure_software_development_fundamentals.md b/secure_software_development_fundamentals.md
@@ -3611,6 +3611,8 @@ Avoid giving security or sensitive information to untrusted users. If a request
 
 * On a failed login, just say “*username or password failed*” or similar - don’t expose whether it was the username or the password that failed. That could tell the attacker that the username is valid, and makes further attacks easier.
 
+* If a user tries to create an account using an email address, don't tell the user if an account with that email address already exists. Similarly, if a user tries to do a password reset using an email address, don't tell the user if there is no account with that email address. Providing that information would allow an attacker to determine if a specific email address is being used (or not) by some existing account.
+
 * In general, don’t display sensitive/private data unless necessary at that point.
 
 Implement audit logging early in development. Then, if you need to record more detailed information to aid debugging, report that information in the logs instead of displaying it to the user. Audit logs are really convenient for debugging (because they are designed to record useful information without interfering with normal operations), and you are more likely to include useful status information in the logs if they are developed in parallel with the rest of the program. They will also reduce the temptation to reveal too much to untrusted users.
