Hi. I have a question about the change email flow ...
# ory-networkl
limited-photographer-61008
06/08/2023, 5:52 PMHi. I have a question about the change email flow via Account/Profile settings. Seeing that it is vulnerable to account enumeration (responds with
An account with the same identifier (email, phone, username, ...) exists already.c
curved-fountain-46946
06/09/2023, 1:20 PMFor what it's worth, you can probably override / replace this message in the settings.after webhook đ
l
limited-photographer-61008
06/09/2023, 1:25 PMTrue, but the message text doesnât really matter. If we donât update the userâs email, then it would signal that email is already in use anyway.
c
curved-fountain-46946
06/09/2023, 1:35 PMFair - how do you suggest to solve it? Just update the email anyways? đ
l
limited-photographer-61008
06/09/2023, 1:38 PMIn our current system, we just send an email to the new email. The user has to click a link in the email to actually trigger the change.
c
curved-fountain-46946
06/09/2023, 2:23 PMSo what does the email say if the identifier (ie, the email address) already exists? It's not a bad solution, it's kinda smart
l
limited-photographer-61008
06/09/2023, 2:44 PMAnd the app just displays, âYouâll receive an email with further instructionsâ.
limited-photographer-61008
06/09/2023, 2:45 PMYou can also automatically verify the account since youâd need to be able to access the email to approve the change.
c
curved-fountain-46946
06/09/2023, 3:58 PMYeah, makes sense
l
limited-photographer-61008
06/19/2023, 1:27 PMHi. Is it possible for someone from the Ory team to comment on my original question? Thanks.
s
steep-lamp-91158
06/19/2023, 1:34 PM
there is some settings, i.e. you have to require verification and there is an option to enable sending a login attempt email
but there is still some limitations: https://github.com/ory/kratos/issues/133
steep-lamp-91158
06/19/2023, 1:35 PM
steep-lamp-91158
06/19/2023, 1:36 PM
l
limited-photographer-61008
06/19/2023, 1:37 PMWe have the âAttempted verification notificationsâ turned on. I guess I am more interested in what the rate limits are and how Ory enforces it? We can live with some enumeration as long as it canât be abused.
s
steep-lamp-91158
06/19/2023, 1:46 PM
we are still working on refining those request specific rate-limits, but we have abuse detection & prevention through cloudflare, as well as global rate-limits, which already works very well
what specific scenarios are you envisioning?
I'd suggest you try the attack you need to be protected from, and see how well it works
we're happy to take it from there and adjust the rate-limiting
đ 1
l
limited-photographer-61008
06/19/2023, 2:10 PMThe scenario would just be someone repeatedly calling the following endpoint, https://www.ory.sh/docs/reference/api#tag/frontend/operation/updateSettingsFlow, and searching for a
An account with the same identifier (email, phone, username, ...) exists already. (4000007)limited-photographer-61008
06/19/2023, 2:12 PMI suppose we could do some logging in a webhook on our end to try and detect abuse as well.
s
steep-lamp-91158
06/19/2023, 2:18 PM
this case will typically be handled by cloudflare very well, but we could set stricter rules for the endpoint if we see the need
l
limited-photographer-61008
06/19/2023, 2:40 PMThanks.
45 Views