@fadi-assaad opened this Issue on October 29th 2018

In Change your password page, user enumeration is happening and it must change.
Simply replace the message Error: Invalid username or e-mail address. Into something like an email has been sent to the address on record.

@tsteur commented on October 30th 2018 Member

I don't think we consider this a security issue. We even provide API methods for users with view access to check if a specific userLogin or userEmail exists.

@mattab commented on November 5th 2018 Member

users with view access have indeed the ability to check whether an account exists,

but wondering about anonymous user (thanks for reporting this issue @fadi-assaad), is it currently the only place where one can check whether a given username/email account exists?

@tsteur commented on November 5th 2018 Member

I suppose there are couple more places... I wouldn't be surprised if UsersManager.getTokenAuth exposes it, and lots of other places.

Powered by GitHub Issue Mirror