Conversation

Notices

1. Embed this notice
   dansup (dansup@mastodon.social)'s status on Monday, 22-Jan-2024 23:04:16 JST dansup

   You would think a "Forgot Email" feature would be simple to implement, a feature to send an email to an account by providing the username

   And it can be, but a feature like this has several vectors that are ripe for abuse

   Some examples:
   - Credential stuffing
   - Targeted account takeovers
   - Email quota overage
   - Account state exfiltration

   Our mitigations:
   - IP address rate limits (10/1440 mins)
   - Once per account for 24h
   - Email quota (no overages)
   - Random timing delays
   - General error messages

   • Embed this notice
     dansup (dansup@mastodon.social)'s status on Monday, 22-Jan-2024 23:09:01 JST dansup

     in reply to

     • Jippi 🇩🇰

     @jippi Some people don't remember which account they used though, this saves admins a bit of time by automating the experience in an ideal way.

   • Embed this notice
     Jippi 🇩🇰 (jippi@expressional.social)'s status on Monday, 22-Jan-2024 23:09:02 JST Jippi 🇩🇰

     in reply to

     @dansup I have also seen success with asking users to go to their inbox and search for the mail domain to find it - assuming the pixelfed welcome/confirm mail content includes the username :)

     """
     "Forgot your email?
     No worries! You can search your inbox for "from:pixelfed.dk" and check your welcome mail - otherwise, put your username in the form below, and we will send you an email"
     """