Email bomb alert! The dangers of the ``forgot password`` page
These days, everybody has multiple user accounts for different websites. At a certain point in time, you might forget which password you used for a website. Luckily, most websites have a self-service for this problem: the “I forgot my password” button. After entering your email address and clicking a button, you receive an email that sends you a reset code or link. Great news! Problem solved! But wait… If you can send this email without authentication, others can do it as well!
So here lies the problem. If a website forgets to limit the amount of emails that can be send over time, an attacker might send multiple reset emails to one email address, hence the so-called email bomb. Moreover, what if the website forgets to check whether the entered email address is linked to an existing username? Then attackers might send these email bombs to any email address imaginable!
`` if multiple employees of an organization fall victim to an email bomb attack, the organization might lose their ability to communicate entirely.``
So this is just an awkward situation for the victim, right? The victim indeed loses a lot of valuable time, which could result in loss of income. If valuable emails get caught up in this email bomb, they might be deleted as well. Furthermore, if multiple employees of an organization fall victim to an email bomb attack, the organization might lose their ability to communicate entirely. However, not only the victims suffer from these attacks. If a company does not secure their “forgot password” page, resulting in an email bomb, their domain name might become flagged as a phishing attack facilitator. In the worst case, their IP address becomes blacklisted.
So, what should you do to protect your website against email bombing attacks? First, you should ensure that you always check whether an entered email address is linked to an existing user account. Next, it is important to keep track on the amount of emails that has been sent to one email address during a specific time frame. A maximum of 3 emails each hour should be sufficient! Additionally, a CAPTCHA can slow down the email sending process. And finally, while implementing these measurements ensure to avoid email address enumeration. Whenever sending of a reset email is requested, display a generic message indicating that a reset email will be send if the email address is found in the database. Never indicate whether the entered email address exists!