No rate limit in reset password link

Hi,
In the functionality of “Forgot password”, we have observed that we can send an unlimited number of forgot password requests to any random email, even if the email is not a registered Metabase user.
This can be used to span any random email with a potentially unlimited number of mails.

Is there a way to set a rate limit on the number of requests of “Forgot password” are sent to an email in a given time frame?
Also, is there functionality to send “Forgot password” request only to registered Metabase users?

If there are no such features, can you kindly guide me on how to create requests for the addition of such features?

Thanks in advance.

Hi @yana
Please post “Diagnostic Info” from Admin > Troubleshooting.
Metabase does not send emails to non-existing users. We have an issue open about logging such information and throttle the requests - upvote by clicking :+1: on the first post of each issue:
https://github.com/metabase/metabase/issues/12987
https://github.com/metabase/metabase/issues/14317

Hi Flamber,
Thanks for the response. Will share Diagnostic Info, in the next 2-3days.
Adding to the above issue,
We have also observed that any random user can brute force on login page with any random user’s credentials.

Steps to reproduce:

  1. Open Metabase.
  2. Click on sign in via email.
  3. Enter any random user’s email id.
  4. Now brute force with the password.

There is no limit on the number of brute force password attempts, is there a way to configure the number of login attempts a user makes in a time frame ?

hi @yana, this is Luis From Metabase. I would really love to see a detailed guide for the tests you are making and the results as I cannot reproduce (please send a detailed report to security@metabase.com).

Both endpoints /api/session (login) and /api/session/forgot_password (forgot password) are throttled to prevent brute force. Please check the source code here and here where it explicitly states that both endpoints are secured against brute forcing .

In fact, I have just tried several attempts manually

. Please see the response from the endpoints

thanks!

Hi team,
We are not blocking user here, we are blocking only IP which is easily bypassable, this is the usecase here.

Hi @rahul.udaiwal599, as we stated above, if there is a finding, please send your detailed report to security@metabase.com

Thanks