0

I have a flask application running on a production environment, and one of the user requested a password reset, which sent out an email to them with a link back to the site for resetting the password.

That email got shared with a third-party probably, and the link got exposed. Now the reset request is being spammed from multiple IP addresses. There is a timer I set using the SECURITY_RESET_PASSWORD_WITHIN config parameter to 30 mins and I can see that it does work as intended, the link is invalidated and throws an error saying the link has expired.

But the default behavior of the Flask-Security package is to re-send the reset email to the user if the token has expired when doing a GET request to the reset page with the expired token. So someone can keep spamming that expired link using GET /reset/token_id and the user keeps getting sent reset emails.

What is the correct way to handle this situation?

Kunal Gupta
  • 23
  • 6

1 Answers1

0

Once the user changes their password, those tokens should be viewed as 'invalid' and then not send emails any more.

jwag
  • 662
  • 5
  • 6
  • The tokens got invalidated by being time out, but the default behavior of Flask-Security is to re-send a new reset email if you open the old link and the token is no longer valid. That is what im trying to fix – Kunal Gupta Feb 27 '20 at 13:46
  • No - if you look at view.py:reset_password - it only sends email if the token is EXPIRED - not if it is invalid. Once the user changes their password the existing token should be marked invalid. If that is not the case - then there is a bug. – jwag Feb 27 '20 at 14:38
  • you are correct yes, I misunderstood what you said earlier. But the issue here is that some malicious third party is using the same link repeatedly, over the course of a day, since the token expires in 30 mins, they are able to spam the user with new emails constantly. If the user has changed the password successfully, the token is invalidated and does not send a new email. – Kunal Gupta Feb 27 '20 at 16:29
  • Ok - so this is somewhat annoying - though a combination of someone starting a password reset request AND having their email account hacked AND not bothering to finish the password reset request for a long time seems a fairly small concern. I do agree however that it isn't clear there is a reason to automatically resend the email - most websites have a button that allows you to request 'Please resend...' – jwag Feb 27 '20 at 17:41
  • Regardless we cannot blame the customer, and since they are being spammed it has become our concern now. We ended up re-writing all the forms and the back-end functionality ourselves instead of using the flask-security ones. – Kunal Gupta Feb 28 '20 at 11:22