[Bug]: Email enumeration

[Nutomic]

Requirements

• Is this a bug report? For questions or discussions use https://lemmy.ml/c/lemmy_support
• Did you check to see if this issue already exists?
• Is this only a single bug? Do not put multiple bugs in one issue.
• Is this a backend issue? Use the lemmy-ui repo for UI / frontend issues.

Summary

An attacker can find out which emails are registered on a given Lemmy instance by using endpoints which return LemmyErrorType::EmailAlreadyExists (register and save settings). The solution:

The "clean" way I guess would be to just return "ok" always with a message of "an email has been sent to the new email to verify it) and to send two different emails, one saying "could not change email since another account already exists" and one saying "click here to verify your email".

I guess that might be too much effort for this change though. Email enumeration will happen though when lemmy gets popular enough and cause account takeovers for people that like to reuse passwords.

[lazynooblet]

Rather than send two emails, send a verification e-mail to a valid account, otherwise do nothing. The wording could then be "If an account with that e-mail exists, a verification mail has been sent".

[Nutomic]

We send error EmailAlreadyExists in two cases:

• Changing email of an existing account. In this case we could simply do nothing and keep the old address.
• Registering a new account. Here we have to give some indication why the signup is failing, so I dont see how else to handle it.

[dessalines]

We can probably close this then, because with registration rate limits (I think its 3 / hour by default) , it'd take someone years for this attack.

[dullbananas]

We can probably close this then, because with registration rate limits (I think its 3 / hour by default) , it'd take someone years for this attack.

With some ipv6 addresses, someone could switch to different addresses on the same network and do up to 16 times more registrations than the maximum for each address