Forum Discussion

catolab's avatar
catolab
Comet
2 months ago

Potential for abuse of the password reset link with https://cc2.catonetworks.com/forgotAdminPassword

Hi, This is Cato Lab from South Korea.

Our customer raised a question.

  1. Is there any way to prevent malicious actors from repeatedly entering an email address to trigger password reset emails, potentially spamming or annoying administrators?

Their concern is that someone could misuse the reset link mechanism to repeatedly send reset emails, causing inconvenience to the administrators or account owners.

Does Cato have any existing protections or recommended best practices to mitigate this type of abuse?

It will be really helpful if you guys know any type of protection behavior for administrators regarding using this webpage.

Thanks,

Best Regards,

Cato Lab.

3 Replies

  • michaelsaw's avatar
    michaelsaw
    Icon for Cato Professional Services rankCato Professional Services
    21 days ago

    Hi Catolab, 

    You may setup Login Restrictions and consider MFA/SSO for admin login: https://support.catonetworks.com/hc/en-us/articles/4413280532113-Authenticating-Admins
    Would this be alright?

    Cheers!

  • catolab's avatar
    catolab
    Comet
    21 days ago

    Thanks for the reply.

    I understand what you meant to prevent non-admin users entering CATO CMA page,

    however he was asking how to prevent people who are trying to reset someone's email through the link I provided.

    The customer seems worried that someone could maliciously try to renew the administrators' password many times.

    The customer was asking about preventive measures for users who repeatedly try to reset passwords or exhibit other malicious behavior.

    The customer stopped asking, so I think it's fine.

    Thanks for your answer.

    Best Regards,

    Catolab.

  • michaelsaw's avatar
    michaelsaw
    Icon for Cato Professional Services rankCato Professional Services
    20 days ago

    Hi catolab

    You mentioned an interesting point. 
    Perhaps it may be a consideration/idea to track details (such as time, date, source IP address...) when someone starts/triggers reset password in CMA.

    Cheers