20100115

Problem ID: 2252340100921344845
Entered by: Ben Simo
Is there a problem here?  

That was the wrong password



I got the above screen after failing to login to my Meetup account to RSVP for a meeting.

As a user, I like that it tells me that I used the correct email address but wrong password.

However, this system has just verified information without authentication. It tells me that a valid user email address was used. This information could be helpful to someone trying to gain unauthorized access.

Now, in this case, I don't think disclosing that email accounts exist is a huge deal. This is a social networking site. This is not a banking system. This is not a medical records system. It is not an interface to access private information. Meetup profiles are public and searchable on the web -- although not email addresses. I say no problem in the context of this site.

For other systems, giving non-authenticated people information that narrows down access credential options could be a huge security problem.


  Edit

0 Comments:

Post a Comment