Password reset email hint issue

ethical

Well-Known Member
Apr 7, 2009
96
8
58
related to this thread

Password Recovery - Email Hint

the email hint shown for a password reset displays a totally random yet obscured email address. all my clients email me thinking they have been hacked because they do not recognize that email address.

I was about to submit a feature request since this issue is really bugging me and creating a lot of support requests, but never once has the ACTUAL contact email address displayed as the hint address when a user tries to reset their cpanel password, yes they all have contact email addresses set. is this still a "feature" or is there a way to stop this sillyness finally?
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
79
458
cPanel Access Level
Root Administrator
At face value this sounds like a bug.

When resetting a password, and a contact email address is set, an obfuscated form of the contact email address is supposed to display.

If a contact email address is not set, then an obfuscated form of a fake contact email address is displayed.
 
  • Like
Reactions: cPanelLauren

ethical

Well-Known Member
Apr 7, 2009
96
8
58
Hi Kenneth hmmm it looks like you did fix it, sorry however my clients are still getting confused, one the other day i think because you only put in 2 blank spaces on each side of the @ sign
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
Hi @ethical

The specific issue initially mentioned with random addresses is indeed as @cPanelKenneth mentioned - if the contact email isn't set within the User Manager this will use an obfuscated fake contact email address. What you're referencing now I'm not sure I've seen before. Was the entirety of the form blank besides the @ symbol or were only the letters to the immediate left and right obfuscated?

Thanks!
 

ethical

Well-Known Member
Apr 7, 2009
96
8
58
sorry for the delay, what i mean is the hint email shows onle 2 digits on either side of the @ sign,,, eg

[email protected]__l.com this suggests the email address is only 4 characters long such as [email protected] as suggestion.

but i do have another issue totally related to this. While the email hint does show a correct address (albeit in a silly way) once i fill in my email address, i get taken to a second screen that says

"Complete your contact email address below to receive your security code." and this page shows a totally bogus email address.

now thinking about this further I realize i entered my email address on the first step of the password reset NOT the username and then it takes me to the next screen with the bogus email hint,
>>I think most people are used to entering an email address here so i think it should be made clear OR not allow an email address to be entered at all in the box and ONLY a username.

since i have clients with multiple accounts, you cant really use the email to reset anyway since it would not know which account to reset.

does that make sense? basically i think you need to NOT allow an email to be entered in the username password reset box....
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
sorry for the delay, what i mean is the hint email shows onle 2 digits on either side of the @ sign,,, eg

[email protected]__l.com this suggests the email address is only 4 characters long such as [email protected] as suggestion.
I think this is the intended behavior - it's not meant to be displayed so you can guess how many letters are present and therefore guess the email account. The purpose is to allow for recognition of your own email account.

now thinking about this further I realize i entered my email address on the first step of the password reset NOT the username and then it takes me to the next screen with the bogus email hint,
That's exactly what you should be doing I entered my email account information on both v76 and v78 of cPanel as was unable to replicate the reported behavior (I got the email account hint for my set email account)

since i have clients with multiple accounts, you cant really use the email to reset anyway since it would not know which account to reset.
They might have multiple accounts but the email account itself would be unique.
 

ethical

Well-Known Member
Apr 7, 2009
96
8
58
thanks for your reply.
I think this is the intended behavior - it's not meant to be displayed so you can guess how many letters are present and therefore guess the email account. The purpose is to allow for recognition of your own email account.
i understand that, but end users dont get it and honestly it took me 3 looks at one of them tel actually tell it was a real hint. if I dont notice it the first time, good luck having an end user recognize it!


That's exactly what you should be doing I entered my email account information on both v76 and v78 of cPanel as was unable to replicate the reported behavior (I got the email account hint for my set email account)
a) but this is wrong then, if i enter my email address on the first screen, the second screen i get shows a bogus email hint... i can send you a video showing such if you like.
b) since cpanel usernames are username and not based on their email addresses, you should prevent email from being entered in this screen because i) if i enter an email address here is gives a bogus hint on the next screen) and
ii) since some users have multiple cpanel accounts with the SAME EMAIL address as the email contact its not possible to reliably reset anything based on just email address since which account would it choose even if it did work.

They might have multiple accounts but the email account itself would be unique.
No, the email contact is not unique its the same email address for all cpanel accounts they have.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
No, the email contact is not unique its the same email address for all cpanel accounts they have.
The contact wouldn't need to be unique but what you enter at the prompt and the email address you're trying to get the password for would be. The contact as is stated in the user manager should be a separate email account unassociated with the account you're trying to reset the password for.


Don't get me wrong here, it's not that I don't believe you, but I'm not able to replicate the issue, I get my email hint when attempting to reset the password, every time. If you'd like to please open a ticket and we'd be more than to look further into this issue, just click the link in my signature to get started.

Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!
 

ethical

Well-Known Member
Apr 7, 2009
96
8
58
ok i will do a ticket sure... maybe next week, and just to be clear i am talking about cpanel password reset NOT email/webmail so there is no way for the email address to be unique...

thanks!
 
  • Like
Reactions: cPanelLauren

splaquet

Well-Known Member
Sep 24, 2008
53
3
58
W. Hartford, CT
cPanel Access Level
Root Administrator
Twitter
I realize that this thread is over 1 year old, but i'm seeing the same results happen... as of right now, and on 2 different servers.

it would appear as though the first time that page displays (for the password reset), it’s some random email that's being used as the "email hint". i've had a few different clients report this to me, also sending screenshots.

To confirm that they weren't simply being total NOOBs, i tried it out myself. ...and sure enough, same thing happened.

BUT, I did find that when i stepped back out to the main webmail login screen and clicked on "reset password" the second time, it actually showed their correct email as the email hint.

this wouldn't really be an issue if their actual email worked the first time (with random characters as the hint), but it's not. but, it DOES properly show the third party email AND properly issue the password reset, when cycling through the steps a second time.

RANDOM FIRST TIME:

randomly generated email

CORRECT SECOND TIME:
actual email hint


###

And, I'd also like to mention that even after manually setting the passwords, or setting them via the password reset, this still show "INVITE PENDING"
Screenshot 2020-01-08 17.02.30.png
 
Last edited:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
Hello,

Is the contact email for the user set in cPanel>>Preferences>>Contact Information? I still am unable to replicate this issue. The steps I took are as follows:

1. Create a new account
2. update cPanel>>Preferences>>Contact Information with the appropriate email
3. Logout
4. Attempt to reset password at login screen

I receive the correct email hint every time whether it's the first or 20th time.


How are you creating the accounts that are being shown with "invite pending"?
 

splaquet

Well-Known Member
Sep 24, 2008
53
3
58
W. Hartford, CT
cPanel Access Level
Root Administrator
Twitter
How are you creating the accounts that are being shown with "invite pending"?
I’m creating these new accounts using their personal emails, rather then manually setting a password.

Both users’ initial setup link had expired by the time they had clicked on the link. (Not sure if that matters, but noting.)

I shared the respective webmail/password reset link with them... and that’s where/how I’ve seen this behavior.

The two users I’ve seen this behavior with were both on different cPanelaccounts and different servers.

Also worth noting, the invitation link in that email seems to expire VERY quickly! (Less
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
Hi @splaquet

I'm sorry about the time it's taken to get back to you on this, I'm attempting to replicate this but I"m not seeing how you're doing this from the user manager interface:

I shared the respective webmail/password reset link with them... and that’s where/how I’ve seen this behavior.
The password reset link email should have been delivered to the user and shouldn't have been accessible to you. Or is the link you're referencing this one? https://webmail.domain.tld.us/resetpass?start=1

When using that link I'm not able to replicate the issue with the invite pending notice.

The only reason that should be present is in the event they never reset their password.

Also worth noting, the invitation link in that email seems to expire VERY quickly! (Less
So, it may, because it's cookie based, depending on your settings for sessions this could expire prior to 24 hours.