@fadi-assaad opened this Issue on October 29th 2018

In Change your password page, user enumeration is happening and it must change.
Simply replace the message Error: Invalid username or e-mail address. Into something like an email has been sent to the address on record.

@tsteur commented on October 30th 2018 Member

I don't think we consider this a security issue. We even provide API methods for users with view access to check if a specific userLogin or userEmail exists.

@mattab commented on November 5th 2018 Member

users with view access have indeed the ability to check whether an account exists,

but wondering about anonymous user (thanks for reporting this issue @fadi-assaad), is it currently the only place where one can check whether a given username/email account exists?

@tsteur commented on November 5th 2018 Member

I suppose there are couple more places... I wouldn't be surprised if UsersManager.getTokenAuth exposes it, and lots of other places.

@benji1000 commented on May 28th 2021

Hello, do you still consider user enumeration as a non-security issue? If yes, could you please take an official stance and close this issue? And if not, could you please fix it? Thank you for your answer.

FYI, OWASP seems to consider it as security issue.

Powered by GitHub Issue Mirror