For legal reasons we can't send the email to HIBP in clear text.
Regarding "Domain Search" functionnality, there's no API (as far as I know). It works by sending you multiple emails, no API, so hard to automate process around that.
I've also read one of Troy's old blog post about a Domain Search callback system he put in place for a specific case : https://www.troyhunt.com/have-i-been-pwned-goes-little-bit/ which looks good but no publicly available (that's my understanding).
So, if HIBP doesn't allow me to do that, I thought of other solutions based on it :
Firefox Monitor and 1pwd : They use the k-anonymity principle (https://blog.mozilla.org/security/2018/06/25/scanning-breached-accounts-k-anonymity/) which consist to send only a hash of the searched email. Unfortunately, that functionality is reserved to 1pwd & firefox monitor.
Am I missing a way to interact with HIBP without sending in clear the email ?
Thank you
CodePudding user response:
Short answer: no.
Mozilla and 1Password use the k-anonymity model described here: https://www.troyhunt.com/were-baking-have-i-been-pwned-into-firefox-and-1password/
The reason I don't make that generally available is that every single k-anonymity search returns multiple results which would make it much easier for a nefarious party to abuse. Domain searches require verification of control at the time of search; an API that didn't require verification would also be open to misuse.
If you'd like to see new features, suggest them here (or vote on them if they already exist): https://haveibeenpwned.uservoice.com/