Posts: 13,646
Threads: 220
Joined: May 2010
Reputation:
550
This is not a vulnerability. Essentially, it's an email sent by the server saying "Hey, someone tried to reset the password for this account.". The only issue there would be is if someone gained access to your email account, in which case you're pretty much screwed anyway.
It's the same for most web applications. You enter the email address, the server sends an email, you as the owner of the account choose what to do. Didn't initiate the request? Ignore it. Perhaps change the email address of your forum account to something only you know (the person who made the request needs to know your email address in the first place) so it doesn't happen again.
Once again, there is no vulnerability.
No longer involved in the MyBB project.
Posts: 13,646
Threads: 220
Joined: May 2010
Reputation:
550
(2013-05-25, 03:18 AM)SirGravzy Wrote: A good idea would also be make sure the front end doesn't tell the user which email address the recovery email was sent to.
You have to know the email address in the first place. You can't reset a password without knowing the email address of the account, and as I mentioned if they have access to your email account then you probably have other things to worry about.
No longer involved in the MyBB project.
Posts: 84
Threads: 4
Joined: Apr 2013
(2013-05-25, 03:18 AM)SirGravzy Wrote: A good idea would also be make sure the front end doesn't tell the user which email address the recovery email was sent to.
That doesn't even make sense.. To request a password request YOU have to enter the email address of the account. I don't see what you are getting at here.