Security concern? 'Send password reset email' workflow gives away whether account exists

Hi there

I’m working on the forgot password feature for my app.

My understanding of best practice is to not tell the person making the forgot password request whether or not a particular email address is associated with an account on a site.

For example, a website might say, “We’ve attempted to send a reset link to [email provided]. Please check your email.”

However, it seems that bubble.is does give away whether an account with that email exists:

Does anyone have any experience with this issue? Am I being overly security conscious?

Cheers
Travis

You can change the prompt to say something else like “this password-email combination was not valid. Please try again”

Thanks @cdorozco16, that’s a good start.
It doesn’t quite go all the way to solving the issue though.

Changing the language code for the ‘NO_SUCH_USER’ value is helpful e.g.
image

Though someone doing this many times will know when they hit a real email, as it will trigger those workflow conditions specified e.g. reset inputs, close popup - so for the best integration, you’d need to use the following workflow event:
image

You’ll be able to enter the exact error code and run a set of workflow actions to not give away any sign that the email/user exists. So whether the password reset workflow actions runs or not, it acts the same way in showing an alert like the one above, resetting the inputs and closing the popup…

With that said, I’ve ran a quick test on Bubble’s default login/signup reusable element with a password reset and applied the following:
image
image

But the standard browser error appears - I am missing something? Is this a bug? Or a know fact you can’t run on password reset workflows? @neerja

2 Likes

Is there any solution for this, I don’t think editing ‘NO_SUCH_USER’ is a valid fix as it is also used in the login, so you would get the same message when user logs in with an email that does not exist or has a typo error.

Thanks

Agreed Travis - @mangooly the ‘industry standard’ is to neither confirm nor deny (i’m not a spy) the existence of a user record which is a better way to handle it. It’s not necessarily a huge risk but I do see your concern.

Personally I wouldn’t worry but a workaround to prevent that frontend browser message would be to run the action as a server side Workflow, which if it fails it wont be shown to your user. Or, as you say, use the ‘Languages’ tab in the editor to change the message that gets shown to something more generic.

Reece

Hi @help, I don’t think you understood what I mean’t. I agree with Travis, but I don’t agree with the solution to change the message, as the message is being used when a user logs in with their email, not only for the password reset. In fact the message will be used anywhere else the email is being checked (including user login), so you can’t just change the message.

It would be strange to get the same message,

“If this email exists, we will send a password reset to fake-email@test.com

when a user logs in and enters the wrong email or the email does not exist in the database,

Thanks

1 Like

So to conclude, I am wondering if anyone else has any better solution to this?

Hmm see what you mean.

You could perform the login action as a Backend workflow and pass the user inputted email/password to it so it hides the error if the user doesn’t exist then you could send a response via a state/custom event to display a custom alert. But it’s a big workaround.

Yep, thanks @help , I think the only way is overriding error messages and displaying custom alerts. But most importantly I think the trick is to not have the Signup, Log in and Forgot password on the same page so that the same error message is not used for the same error handling (Signup, Login and Password reset). Although in fact the Signup form has its own security vulnerability.

Forgot password
Email exists - [Message] - If this email exists, we will send a password reset to fake-email@test.com
Email does not exist - [Message] - If this email exists, we will send a password reset to fake-email@test.com

Login
Email exists and wrong password - [Message] - Incorrect username or password
Email exists and correct password - [No Message] - User is logged in
Email does not exist and correct password - [Message] - Incorrect username or password
Email does not exist and incorrect password - [Message] - Incorrect username or password

Signup (We complain about Reset password, but Signup is actually just as unsafe to snoop on existing accounts)
Email exists - ? (This email already exists. Login or use Forgot password to access your account.)
Email does not exist - After signup log the user in

Ok, sorry to be a pain, but actually there is an option that fixes the independence of each error. You can catch an error only after an element has been clicked not any error on the page. Instead of selecting the option inside “General” you can use the option inside “Elements” to control the error.

1 Like

could you let me know how to catch an error and customize actions each error?

Hmm, not sure if you solved your issue or not, but the reason it isn’t working is because for your workflow handling the “Unhandled Error” it’s checking if the Workflow Error’s message is “NO_SUCH_USER,” but instead it should be Workflow Error’s code is “NO_SUCH_USER.” Hope that helps.

Hi @todaybubble,

As @johnny has already mentioned. You need to catch the Workflows Error Code,

  1. An element has an error running a Workflow.

  2. Choose the element (eg. a button when clicked)

  3. Choose the actions (eg. Display a message, show Input in red, etc…)

  4. Add ‘Only when…’ for the specific action if you want a specific result (eg. Show a message related to that particular error).
    image

Hope that helps
Regards

1 Like

@mangooly @johnny really appreciate on your kindness. finally I catch the event. May I ask you one more question. is there any way I can expose a default browser alert without customizing a popup element? I’d like to use same alert with the below style. Thank you again.

Hi @todaybubble,

I’m not understanding fully, If I’m not mistaken you are showing the default browser alert. These javascript alerts cannot be customised, they are different depending on the browser (Eg. Chrome, Firefox, etc…). If you want something custom you have to build it your self (Eg. Show a popup or a text box or something else). This is the reason for catching an error, so that you can customise the result.

@mangooly thank you for your answer. I’m using default Bubble login function, and it’s showing “email address” using default browser alert, even if I don’t put it in the language setting. so I just want to remove email address from alert text and that’s why I wanted to catch the event and customize the message. but there’s no function to show the default browser alert with customized text? Thank you again

Hi @todaybubble,

You can change the text, but for that particular error you cannot remove the email from the message that is why your best option is to use custom error messages to fully customise design and customise text.

I recommend you build a reusable layer or popup or whatever fits your needs and that way you can customise everything and don’t have to rebuild it everytime you want to use it. It’s more work at the beginning but better long term.

Regards

Here’s my take on this question about confirming whether or not a user exists with a particular email address prior to trying to send a password reset email.

I didn’t even think of trying to catch a workflow error. Instead, when the user clicks the button to send a reset password email, I have the text of the button and other text set to change their text based on conditions. The simple condition is:

WHEN: Do a search for User’s email. If a match is found, then I display an appropriate text message. If not, then I change things up a little differently to reflect that.

In either event an email is sent out I think to whatever the user typed. If it was a bad email, it just goes to a bad address and nobody knows or cares.

1 Like