Re: Migrating "A Well-Known URL for Changing Passwords" to WebAppSec from WICG from Theresa O'Connor on 2020-05-06 (public-webappsec@w3.org from May 2020)

From: Theresa O'Connor <hober@apple.com>
Date: Wed, 06 May 2020 06:38:13 -0700
To: public-webappsec@w3.org
Message-id: <m27dxpyyii.fsf@toconnor-imac-18-3.lan>

Hi,

> I do wonder if we should (non-normatively) mention the concern that
> having a well-known password change url could be used for nefarious
> purposes (e.g. sending a lot of emails, denial of service if there’s a
> rate limit on password changes, authentication attacks against
> security questions, etc.).

I've filed https://github.com/WICG/change-password-url/issues/19 to
track adding this.


Thanks,
Tess

Received on Wednesday, 6 May 2020 13:38:28 UTC