password reset on non-existant account
sympa (the current 6.1 on whimbrel at least) will let you do a password reset for an email address that does not yet have an account:
<kaakaawahie> so if someone goes on lists and requests a password for a non-existing account, the email goes out and they can set it but upon login, forces the user to create a new password and the cycle starts anew. this seems problematic. <taggart> kaakaawahie: so they do the "Lost password?" link but the account they are doing doesn't yet exist? <kaakaawahie> taggart: correct <kaakaawahie> i just did a test with a guerrilla mail address, which i guess theoretically could already exist but that seems really unlikely :) <kaakaawahie> i've occassionally seen folks talk about always having to change their password and i think this is related. going through the process essentially creates the account. once the password is set, you're logged in, so you should be able to act like normal <taggart> ok so they do a password reset on the non-existant account and they get the email to reset. and then they go to that url and it lets them set the password? <kaakaawahie> yes <kaakaawahie> and logs them <kaakaawahie> in <kaakaawahie> so to give some context to this, imagine you're someone else and you try to log in using the email address you think you used (but it's not really the right one) and it fails. you see the forget password link and click on it. you get the email, which further gives credit to the idea that is the right email. it gets better when it accepts the new password, so on and so forth <kaakaawahie> it's like a self-fulfilling prophecy but the reality is you've just got the wrong email <taggart> ok but now they have an account and they know the password and it works ok (but if they thought it was an account they were subscribed with, they are wrong) <taggart> and it wouldn't have any list subscriptions on the left side <kaakaawahie> well the password works ok but it immediately requires them to change the password (talking about how they forgot the password) upon login <kaakaawahie> and with all that confirmation that they have the right email, they'd look at the missing list subscriptions and just think there was something wrong with the system, not the choice of email <taggart> yeah <taggart> so the only improvement I think is that the system shouldn't send a password reset mail for an account that doesn't exist <kaakaawahie> agreed entirely. that's the root problem <taggart> but also you don't want to leak that an account doesn't exist <taggart> so should it fail silently? that would also be confusing <kaakaawahie> confusing but not as problematic
Probably we won't go to the effort to fix this in 6.1, but we should get it fixed upstream so we get it when upgrading.