[feature-proposal] Forgot password improvements
Rodrigo Souto
rodrigo at colivre.coop.br
Mon Nov 11 19:28:53 BRST 2013
Indeed...
If there are private confirmation fields (email itself is private by
default now) we would leak this information through this form.
Aurelio Heckert escreveu isso ai:
> Nop...
>
> If you can use a piece of CPF or telephone to find a user (as you
> can use a piece of the name) you can use brute force to discover a
> collection of CPF/Tel/* and the owner names.
>
> I believe we must consider any privacy risk a tragic event, as
> "privacy destroying".
>
> Aurium
>
> On 11-11-2013 15:24, Ewout ter Haar wrote:
> >In case of n>1, just returning the complete name and maybe the
> >avatar for disambiguation should be enough and not "privacy
> >destroying". This is all public information in Noosfero:
> >http://social.stoa.usp.br/search/people?query=jose
> >
> >Off course, a rate-limit system that detects and blocks multiple
> >password recovery attempt would be nice...
> >
> >Ewout
> >
> >http://social.stoa.usp.br/ewout <http://stoa.usp.br/ewout>
> >F. 30916696
> >
> >
> >On Mon, Nov 11, 2013 at 4:08 PM, "Aurélio A. Heckert"
> ><aurelio at colivre.coop.br <mailto:aurelio at colivre.coop.br>> wrote:
> >
> > Hey Wait!!!
> >
> > This Facebook do not "returns back with the profile info (photo,
> > name etc) asking you to confirm if that's you." today.
> >
> > That is a machine to destroy _privacy_. You can't display the
> > found profiles with some related data or someone can discover
> > sensible information with _brute force_.
> >
> > Today Facebook asks for other information while it finds more then
> > one profile (if i understand it right).
> >
> > Aurium
> >
>
> --
>
> *Aurélio A. Heckert (aka Aurium)*
> http://softwarelivre.org/aurium
> *COLIVRE --- Coop. de Tecnologias Livres*
> http://colivre.coop.br
>
> *Inkscape* --- Desenhe Livremente
> http://inkscapeBrasil.org
> _______________________________________________
> Noosfero-dev mailing list
> Noosfero-dev at listas.softwarelivre.org
> http://listas.softwarelivre.org/cgi-bin/mailman/listinfo/noosfero-dev
--
Rodrigo Souto <rodrigo at colivre.coop.br> :: 55 71 8131-7714
Colivre - Cooperativa de Tecnologias Livres
http://www.colivre.coop.br/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20131111/fcf65bdb/attachment.pgp>
More information about the Noosfero-dev
mailing list