Results 1 to 3 of 3
  1. 25 Apr 2017, 04:18 PM #1
    kalastaja's Avatar
    kalastaja
    kalastaja is offline Zen Follower
    Join Date
    Mar 2010
    Location
    Finland
    Posts
    463
    Plugin Contributions
    0

    Default "Forgot password" proclaims success every time

    Is this intended functionality?

    The customer is currently not made aware of their, e.g. possible mistake in the address - they are just left hanging.
    Last edited by kalastaja; 25 Apr 2017 at 04:20 PM.
    Reply With Quote Reply With Quote
  2. 25 Apr 2017, 05:45 PM #2
    dbltoe's Avatar
    dbltoe
    dbltoe is offline Totally Zenned
    Join Date
    Jan 2004
    Location
    N of San Antonio TX
    Posts
    9,473
    Plugin Contributions
    11

    Default Re: "Forgot password" proclaims success every time

    The idea is to make the hacker think they are going to be getting a new password.
    Of course, with open source, you can always search for the wording and change it to "If the address you used is registered with us, a new password is on it's way."
    Personally, I'd just leave it alone.
    Are You Vulnerable for an Accessibility Lawsuit?
    myZenCartHost.com - Zen Cart Certified, PCI Compatible Hosting by JEANDRET
    Free SSL & Domain with semi-annual and longer hosting. Updating 1.5.2 and Up.
    Reply With Quote Reply With Quote
  3. 26 Apr 2017, 12:32 AM #3
    carlwhat's Avatar
    carlwhat
    carlwhat is offline Totally Zenned
    Join Date
    Nov 2005
    Location
    los angeles
    Posts
    2,848
    Plugin Contributions
    11

    Default Re: "Forgot password" proclaims success every time

    Quote Originally Posted by dbltoe View Post
    The idea is to make the hacker think they are going to be getting a new password.
    Of course, with open source, you can always search for the wording and change it to "If the address you used is registered with us, a new password is on it's way."
    Personally, I'd just leave it alone.
    my opinion is that it is very frustrating for the customer, and that hackers are far more sophisticated than some people give them credit.

    i see far more brute force attempts at logging into a server, than someone trying to hack a user account.

    this topic was addressed here:

    https://github.com/zencart/zencart/issues/1295

    and for v160, there will be a switch which allows the store owner to say whether the email address is registered or not.

    best.
    author of square Webpay.
    mxWorks now has Apple Pay and Google Pay. donations: venmo or paypal accepted.
    premium consistent excellent support. available for hire.
    Reply With Quote Reply With Quote
 

 
« Previous Thread | Next Thread »

Similar Threads

  1. v151 getting no emails for " Forgot password"
    By awk_grep in forum Managing Customers and Orders
    Replies: 0
    Last Post: 31 Dec 2013, 05:06 AM
  2. v139h PP Express - 3 log files show "Success" but no order
    By RixStix in forum PayPal Express Checkout support
    Replies: 5
    Last Post: 25 Nov 2012, 06:13 AM
  3. "Forgot your password" not working
    By ekele in forum General Questions
    Replies: 3
    Last Post: 26 Jan 2011, 08:17 PM
  4. Custom "Thank You" messages on success page
    By phillip_r in forum General Questions
    Replies: 3
    Last Post: 14 Apr 2009, 09:23 PM
  5. "forgot password" freezes access
    By Schnak in forum General Questions
    Replies: 2
    Last Post: 14 Jul 2008, 05:15 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules

disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR
Content and Graphics Copyright (c) 2003 - 2025 Zen Ventures, LLC - all rights reserved
Zen Cart® is a Registered Trademark of Zen Ventures, LLC