Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable mail dispatch on attempted account access #2345

Closed
4 of 6 tasks
nolifeKangaroo opened this issue Mar 28, 2022 · 0 comments · Fixed by #3075
Closed
4 of 6 tasks

Disable mail dispatch on attempted account access #2345

nolifeKangaroo opened this issue Mar 28, 2022 · 0 comments · Fixed by #3075
Labels
feat New feature or request. good first issue A good issue to tackle when being a novice to the project.

Comments

@nolifeKangaroo
Copy link

nolifeKangaroo commented Mar 28, 2022
edited by aeneasr
Loading

Preflight checklist

Describe your problem

When users recover access to their account, an email is sent for two cases:

  1. User email is known to the system: We send out an email containing the recovery link
  2. User email is not known to the system: We send out an email that says that the user is unknown.

The second case may be abused by a malicious actor to send out mass emails to accounts. This can lead to bad email reputation, for example.

You can try out the flow yourself:

  1. Go to https://playground.projects.oryapis.com/ui/recovery and request a recovery email for your email (foo@example.org). Wait for the email to arrive at the inbox and read it.
  2. Sign up at https://playground.projects.oryapis.com/ui/registation with said email
  3. Try the flow again and see what email arrives now

Describe your ideal solution

A configuration option which allows the administrator to disable that. In the case that the option is enabled, no email would be sent if the user email is unknown. So the result should be:

  1. Go to https://playground.projects.oryapis.com/ui/recovery and request an recovery email for an email that has not signed up yet
  2. No email should arrive

Version

v0.9.0-alpha.2
@nolifeKangaroo nolifeKangaroo added the feat New feature or request. label Mar 28, 2022
@aeneasr aeneasr added the good first issue A good issue to tackle when being a novice to the project. label Mar 28, 2022
@mszekiel mszekiel mentioned this issue Jul 8, 2022
Closed
7 tasks
@jonas-jonas jonas-jonas mentioned this issue Feb 6, 2023
Merged
7 tasks
aeneasr pushed a commit that referenced this issue Feb 14, 2023
@jonas-jonas
feat: make notification to unknown recipients configurable (#3075)
1a5ead4 
Added the ability to configure whether the system should notify unknown recipients, if some tries to recover their account or verify their address ("anti-account-enumeration measures").

BREAKING CHANGES: By default, Kratos no longer sends out these Emails. If you want to keep notifying unknown addresses (keep the current behavior), set `selfservice.flows.recovery.notify_unknown_recipients` to `true` for recovery, or `selfservice.flows.verification.notify_unknown_recipients` for verification flows.

Closes #2345 
Closes #2585
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feat New feature or request. good first issue A good issue to tackle when being a novice to the project.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: make notification to unknown recipients configurable ory/kratos
2 participants
@aeneasr @nolifeKangaroo