securitywebsecurity

Is there a way to use haveibeenpwned (HIBP) without sending email in clear text?


For legal reasons we can't send the email to HIBP in clear text.

Regarding "Domain Search" functionnality, there's no API (as far as I know). It works by sending you multiple emails, no API, so hard to automate process around that.

I've also read one of Troy's old blog post about a Domain Search callback system he put in place for a specific case : https://www.troyhunt.com/have-i-been-pwned-goes-little-bit/ which looks good but no publicly available (that's my understanding).

So, if HIBP doesn't allow me to do that, I thought of other solutions based on it :

Firefox Monitor and 1pwd : They use the k-anonymity principle (https://blog.mozilla.org/security/2018/06/25/scanning-breached-accounts-k-anonymity/) which consist to send only a hash of the searched email. Unfortunately, that functionality is reserved to 1pwd & firefox monitor.

Am I missing a way to interact with HIBP without sending in clear the email ?

Thank you


Solution

  • Short answer: no.

    Mozilla and 1Password use the k-anonymity model described here: https://www.troyhunt.com/were-baking-have-i-been-pwned-into-firefox-and-1password/

    The reason I don't make that generally available is that every single k-anonymity search returns multiple results which would make it much easier for a nefarious party to abuse. Domain searches require verification of control at the time of search; an API that didn't require verification would also be open to misuse.

    If you'd like to see new features, suggest them here (or vote on them if they already exist): https://haveibeenpwned.uservoice.com/