duderuud
Well-known member
When requesting a password reset, the message for a valid email address is different from an invalid email address.
This can be exploited by a bad actor to harvest mail addresses.
Maybe change both messages to the same "If this mailaddress is known, an email is being sent to you" (or something)?
(Not only changing phrases solves this problem because the specific page after a sent request is different for valid and invalid addresses.)
This can be exploited by a bad actor to harvest mail addresses.
Maybe change both messages to the same "If this mailaddress is known, an email is being sent to you" (or something)?
(Not only changing phrases solves this problem because the specific page after a sent request is different for valid and invalid addresses.)
Upvote
2
