Fixed E-Mail TFA leaks email address


Well-known member
Affected version
This is most likely "Working as designed" but in the case the design is questionable ;)

TFA is meant to protect the account (and sensitive data within it), but unfortunately emai TFA displays the following message when triggered:
An email has been sent to <b>{email}</b> with a single-use code. Please enter that code to continue.

In case of an unauthorized access to the account (by an attacker that only has username and password) this leaks the users email address - effectively giving the attacker more data to work with.

I therefore think the email address should not be shown (at least not in full).
Last edited:
Could the phrase be edited as a (temporary) fix? I would say something like "A single-use code has been sent to the email address on file for this account." Or like other sites say, "If this email address is on file, we will send a single-use code to continue logging in to the site."
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.13).

Change log:
Avoid leaking the email address linked to an account that is using email two-step verification
There may be a delay before changes are rolled out to the XenForo Community.
Top Bottom