Password reset security issue

Hi there,

I stumbled back upon this website after last using it in 2013, really liked the upgrade you guys gave it.

Now, the first thing I did was reset my password, but I couldn’t help but notice that when I entered my e-mail address I got the message: “We found your email”, so I tried a fake email, and got the message: “No account matches [email protected]”, this is a potential risk to the website as it is very easy for me to simply run a database of e-mail addresses / usernames on this screen and simply see who is using this website and who isn’t and target them directly.

I would advise you to change the 2 different messages to 1 generic message along the lines of:
“If there was an account associated with , you will receive an email within the next 24 hours.”

I do hope this will be taken into consideration.

1 Like

Don’t know enough about this software, but the old you could search users. I don’t see how knowing that a person uses a site is a security risk. Could you enlighten me?

Good point. This could lead to issues with phishing.

I’ve changed it to show the same message regardless of the email being in the db:

If an account matches %{email}, you should receive an email with instructions on how to reset your password shortly.

1 Like

@astonecipher exactly as @John said, main concern was phishing, and in general, the less information you’re giving away, the more secure the platform.

& @John thanks for the quick response and change!

Sponsor our Newsletter | Privacy Policy | Terms of Service