Password reset 'Hold Enter to send mail'
-
Confirmed that if you issue a password reset and hold enter, you can spam someones email when the job runs. So don't do anything evil like using CodingHorror's, Sam's, EvilTrout, or Neils username in the password reset box, because this is what happens when I used 'Matches'
That red arrow is pointing at 2424 messages, and I only held the button down for about 2-3 minutes.
-
Additional to this, they offer NO way to opt out of getting this email, so you can spam, and spam, and spam forever.
-
So don't do anything evil like using CodingHorror's, Sam's, EvilTrout, or Neils username in the password reset box, because this is what happens when I used 'Matches'
I feel like these are suggestions?
-
I would never! How dare you!
Be a good Samaritan.
-
I would never! How dare you!
Be a good Samaritan.
You must be new here? Good Samaritans don't come here. ;)
-
Oh, my.
-
That red arrow is pointing at 2424 messages, and I only held the button down for about 2-3 minutes.
That's dedication right there... I would've given up after 10 seconds... but 2-3 minutes, good job.
-
Hey, I confirmed this in the other thread about password resets :P
-
This would make a nice front-side wtf
-
So don't do anything evil like using CodingHorror's, Sam's, EvilTrout, or Neils username in the password reset box
It would be really nice if this was a difficult bug to track down and fix in the code. Then we could use it against them any time we wanted to prove a point.
-
It would be really nice if a discourse project member would see 10,000 such mails flooding his account and, after asking around and learning this was done by tdwtf forum members, would have a minor mental breakdown and give up on working on public-facing projects ever again.
It would benefit all involved, I think.
-
Filed & resolved
http://www.discoursebugs.com/discoursebugs/issue/47/password-resets-are-not-rate-limited