[2020] Account Recovery Needs To Give Less Info

Over the last few months I've been getting password recovery emails from Jagex every week or so. These are legitimate emails from Jagex, they're just from people putting my email into account recovery. I have no worries that someone will manage to steal my account like this, as I have 2fa on both the game and my email, unique password for both, all the normal security measures aside from the age of my email. How do they have my email? Undoubtedly because it's an old email, has been leaked many times from other websites, and the person is likely just trying a bunch of leaked emails in a row to see what they can hit.

But that's the problem. Proper Account recovery systems should give NO indication if an account exists or not. At most a forgotten password should state "If an account for **** exists, an email has been sent". Instead you have this abomination.

The left side is what you see if you put in an email (or account if it's that old) that doesn't exist as a runescape account. The middle followed by the right is what happens when the account exists. This doesn't just tell you that the email they put in exists, it also tells you the progress this account has made in both osrs and rs3. It's kind of them to censor the email name, as I suspect it would show the email for older accounts that dont use the email to login, but it's still too much information even there, as the censor stars shows the actual length of my email (not too worried showing that here, due to other security + the email is old anyways).

Now, admittedly, many companies unfortunately do this; they'll specify when the email entered is not a registered user. That does not make it okay. I'm not even the first to bring it up on reddit from what I've seen, but if you follow the reddit links all the way to a twitter post about it you can see mod ash knew about it almost 2 years ago.

Almost a year ago, the osrs blog brought up that they would be working on improving account security. A quote from that very blog post:

Recovery Abuse

One of the biggest challenges we face when reviewing account recovery attempts is identifying if the request has been submitted by the account owner.

Our focus for the next year is on stopping the hijackers before they even get to an account, but regardless we need to improve how we process account recovery attempts. This may mean that appeal information requirements become stricter. It’s going to take some time to find that right balance between safety and swiftly getting players back into the game. At the moment we don’t feel we have it quite right, so work will continue on this.

So, when are we actually going to see this part of the blog addressed? We did get another security update back in October, but it was almost entirely about updating the authenticator process.

External link →