Security researcher Nurul Hüda Bursali reported that the password reset request on thethingsnetwork.org/conference returns different responses for valid/invalid usernames. This would allow attackers to guess valid usernames by trail/error which may open up possibilities for more directed attacks. We've implemented and deployed a simple fix which disables password resets on this page since this is only used by a small group of internal users.
We would like to thank Nurul Hüda Bursali for responsibly disclosing this issue and making The Things Network a safer place.
Posted Sep 03, 2020 - 13:41 CEST
This incident affected: Global Services (Website (www.thethingsnetwork.org)).