XF 1.5 Email probing / bruteforce guessing

Nicky Vermeersch

Active member
One of my site's members who got his account compromised recently pointed this out to me. As he was going through the email reset form, he noticed that you get two different responses depending on if the email excists or not. He pointed out that this could lead to possible 'email probing / brute force guessing' of email adresses that are registered on the website. This is theorically true, but does this really pose a threat or does Xenforo already has something to prevent this? (like throttling or something)


Well-known member
This is theorically true, but does this really pose a threat
No, it does not pose any extra threat.
They cannot reset AND use the password without access to the email account.
They do know that the email address exist in this forum but brute force does not work because they can try only a certain number of passwords in a given time.

Nicky Vermeersch

Active member
The question was more that the possible attacker could find out what email adresses are registered by attempting to reset a password. If the account excists, it would tell 'An email has been sent' while if it did not excist it would reply with 'This email adress has not been found'. Through this it would theorically be possible to find out who is registered on the board?


XenForo moderator
Staff member
You can mitigate that if you wish by changing the phrase(s) but that may cause confusion with your members if it's not clear whether the email address they are entering is the one they used to register with.

It's a balance.


XenForo developer
Staff member
I'd note that you can do this via the registration system too. It's one of those things where there is an arguable security trade off versus better usability for your users.