Password reset e-mails [message #187079] |
Tue, 15 March 2016 20:39 |
|
dgt224
Messages: 2 Registered: March 2016 Location: Augusta, Georgia, USA
Karma: 0
|
Junior Member |
|
|
In .../thm/default/tmpl/reset.tmpl, reset_newpass_msg is defined to include the text of reset_suffix. That incorporates the following text into the message informing a user that their password has been changed:
If you received this message in error, please ignore it.
If you are receiving multiple copies of this e-mail, which you
have not requested, please contact the forum administrator at ...
I suggest that including this text when the user's password has actually been changed is seriously misleading. As far as I can tell, reset_newpass_msg is never sent unless the user's password has been changed, so the user will subsequently be unable to log in on the forum that sent the message. There are other places where reset_suffix is appropriate, because the message can be triggered by an attacker without actually causing any damage. But in this case someone other than the user has apparently managed to trigger the password reset process and access the reset link with the correct key; I have been unable to think of a way to do so that doesn't involve reading the user's e-mail messages. That doesn't sound to me like something the user should ignore; in fact, it suggests that the user's login has been successfully hijacked and that their e-mail account has been compromised.
Since the first e-mail message sent for a password reset (reset_reset) also includes reset_suffix, it may suffice to simply remove reset_suffix from reset_newpass_msg. Alternatively, a new message based on reset_suffix but without the suggestion that the message be ignored could be added and used here.
|
|
|