How to prevent user enumeration attacks through the Forgot Password functionality

Issue

Insecure default configuration may allow remote attackers to enumerate users' email addresses via the forgot password functionality. This can be a risk in the case of public-facing deployments.

Environment

  • Liferay DXP 6.2 EE
  • Liferay DXP 7.0-7.2

Resolution

It is recommended to set the portal property login.secure.forgot.password to true in your portal-ext.properties.

On the specified product versions, this property defaults to "false":

# Set this to true to prevent attempts to enumerate the portal's users via
# the forgot password feature. This feature will no longer show an error
# that would reveal a user's existence.
login.secure.forgot.password=false

To avoid causing unwanted behavior change in existing deployments, Liferay will not change this default setting in a Fix Pack/Service Pack.

Long Term Resolution

In Liferay DXP 7.3 this property defaults to "true".

Was this article helpful?
0 out of 0 found this helpful