Password reset emails offer no advice regarding impersonation attempts
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Canonical SSO provider |
Confirmed
|
High
|
Unassigned | ||
Bug Description
This morning I received two reset-password emails from SSO, as follows:
Subject: Ubuntu One: Forgotten Password
Hello
You have requested a new password for your Ubuntu One account.
Click the following link to automatically confirm your reset:
[redacted]
Thank you,
The Ubuntu One team
https:/
(I didn't originate these requests; a little brief log analysis shows that they originated from an IP address in Poland.)
I think that we have at least the following problems here:
* the email assumes the user originated the request, and does not advise them on what to do if they didn't
* the email should perhaps tell the user what IP address the request originated from or some other similar contextual information (User-Agent maybe?); compare e.g. Twitter's emails when you use a new device to access your account
* there is no way to say "cancel this reset attempt" and thereby consume the authtoken so that it cannot be used by anyone else
| Changed in canonical-identity-provider: | |
| status: | New → Confirmed |
| importance: | Undecided → High |
| tags: | added: bite-size |
