Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Password reset email hint issue

Discussion in 'Security' started by ethical, Nov 26, 2018.

  1. ethical

    ethical Well-Known Member

    Joined:
    Apr 7, 2009
    Messages:
    91
    Likes Received:
    5
    Trophy Points:
    58
    related to this thread

    Password Recovery - Email Hint

    the email hint shown for a password reset displays a totally random yet obscured email address. all my clients email me thinking they have been hacked because they do not recognize that email address.

    I was about to submit a feature request since this issue is really bugging me and creating a lot of support requests, but never once has the ACTUAL contact email address displayed as the hint address when a user tries to reset their cpanel password, yes they all have contact email addresses set. is this still a "feature" or is there a way to stop this sillyness finally?
     
  2. cPanelKenneth

    cPanelKenneth cPanel Development Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,574
    Likes Received:
    47
    Trophy Points:
    308
    cPanel Access Level:
    Root Administrator
    At face value this sounds like a bug.

    When resetting a password, and a contact email address is set, an obfuscated form of the contact email address is supposed to display.

    If a contact email address is not set, then an obfuscated form of a fake contact email address is displayed.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelLauren likes this.
  3. ethical

    ethical Well-Known Member

    Joined:
    Apr 7, 2009
    Messages:
    91
    Likes Received:
    5
    Trophy Points:
    58
    Hi Kenneth hmmm it looks like you did fix it, sorry however my clients are still getting confused, one the other day i think because you only put in 2 blank spaces on each side of the @ sign
     
  4. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,476
    Likes Received:
    506
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @ethical

    The specific issue initially mentioned with random addresses is indeed as @cPanelKenneth mentioned - if the contact email isn't set within the User Manager this will use an obfuscated fake contact email address. What you're referencing now I'm not sure I've seen before. Was the entirety of the form blank besides the @ symbol or were only the letters to the immediate left and right obfuscated?

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. ethical

    ethical Well-Known Member

    Joined:
    Apr 7, 2009
    Messages:
    91
    Likes Received:
    5
    Trophy Points:
    58
    sorry for the delay, what i mean is the hint email shows onle 2 digits on either side of the @ sign,,, eg

    [email protected]__l.com this suggests the email address is only 4 characters long such as [email protected] as suggestion.

    but i do have another issue totally related to this. While the email hint does show a correct address (albeit in a silly way) once i fill in my email address, i get taken to a second screen that says

    "Complete your contact email address below to receive your security code." and this page shows a totally bogus email address.

    now thinking about this further I realize i entered my email address on the first step of the password reset NOT the username and then it takes me to the next screen with the bogus email hint,
    >>I think most people are used to entering an email address here so i think it should be made clear OR not allow an email address to be entered at all in the box and ONLY a username.

    since i have clients with multiple accounts, you cant really use the email to reset anyway since it would not know which account to reset.

    does that make sense? basically i think you need to NOT allow an email to be entered in the username password reset box....
     
  6. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,476
    Likes Received:
    506
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    I think this is the intended behavior - it's not meant to be displayed so you can guess how many letters are present and therefore guess the email account. The purpose is to allow for recognition of your own email account.

    That's exactly what you should be doing I entered my email account information on both v76 and v78 of cPanel as was unable to replicate the reported behavior (I got the email account hint for my set email account)

    They might have multiple accounts but the email account itself would be unique.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. ethical

    ethical Well-Known Member

    Joined:
    Apr 7, 2009
    Messages:
    91
    Likes Received:
    5
    Trophy Points:
    58
    thanks for your reply.
    i understand that, but end users dont get it and honestly it took me 3 looks at one of them tel actually tell it was a real hint. if I dont notice it the first time, good luck having an end user recognize it!


    a) but this is wrong then, if i enter my email address on the first screen, the second screen i get shows a bogus email hint... i can send you a video showing such if you like.
    b) since cpanel usernames are username and not based on their email addresses, you should prevent email from being entered in this screen because i) if i enter an email address here is gives a bogus hint on the next screen) and
    ii) since some users have multiple cpanel accounts with the SAME EMAIL address as the email contact its not possible to reliably reset anything based on just email address since which account would it choose even if it did work.

    No, the email contact is not unique its the same email address for all cpanel accounts they have.
     
  8. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,476
    Likes Received:
    506
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    The contact wouldn't need to be unique but what you enter at the prompt and the email address you're trying to get the password for would be. The contact as is stated in the user manager should be a separate email account unassociated with the account you're trying to reset the password for.


    Don't get me wrong here, it's not that I don't believe you, but I'm not able to replicate the issue, I get my email hint when attempting to reset the password, every time. If you'd like to please open a ticket and we'd be more than to look further into this issue, just click the link in my signature to get started.

    Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. ethical

    ethical Well-Known Member

    Joined:
    Apr 7, 2009
    Messages:
    91
    Likes Received:
    5
    Trophy Points:
    58
    ok i will do a ticket sure... maybe next week, and just to be clear i am talking about cpanel password reset NOT email/webmail so there is no way for the email address to be unique...

    thanks!
     
    cPanelLauren likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice