Home > OS >  Is there a way to use haveibeenpwned (HIBP) without sending email in clear text?
Is there a way to use haveibeenpwned (HIBP) without sending email in clear text?

Time:05-10

For legal reasons we can't send the email to HIBP in clear text.

Regarding "Domain Search" functionnality, there's no API (as far as I know). It works by sending you multiple emails, no API, so hard to automate process around that.

I've also read one of Troy's old blog post about a Domain Search callback system he put in place for a specific case : https://www.troyhunt.com/have-i-been-pwned-goes-little-bit/ which looks good but no publicly available (that's my understanding).

So, if HIBP doesn't allow me to do that, I thought of other solutions based on it :

Firefox Monitor and 1pwd : They use the k-anonymity principle (https://blog.mozilla.org/security/2018/06/25/scanning-breached-accounts-k-anonymity/) which consist to send only a hash of the searched email. Unfortunately, that functionality is reserved to 1pwd & firefox monitor.

Am I missing a way to interact with HIBP without sending in clear the email ?

Thank you

CodePudding user response:

Short answer: no.

Mozilla and 1Password use the k-anonymity model described here: https://www.troyhunt.com/were-baking-have-i-been-pwned-into-firefox-and-1password/

The reason I don't make that generally available is that every single k-anonymity search returns multiple results which would make it much easier for a nefarious party to abuse. Domain searches require verification of control at the time of search; an API that didn't require verification would also be open to misuse.

If you'd like to see new features, suggest them here (or vote on them if they already exist): https://haveibeenpwned.uservoice.com/

  • Related