1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Xenforo sign-up system - Privacy / Security Concern?

Discussion in 'General XenForo Discussion and Feedback' started by melbo, Mar 26, 2015.

  1. melbo

    melbo Well-Known Member

    Was reading this discussion https://news.ycombinator.com/item?id=8683003

    Is it wise to confirm the validity of an account / email address like below?

    Seems like it should fail silently, skip this warning and go directly to the 'Check your email' screen: sending the confirmation email to the new member's email address or an alert to the address already in use.

  2. Mike

    Mike XenForo Developer Staff Member

    Realistically, there isn't anyway to prevent this. While you propose failing silently, the act of failing would itself lead evidence that could be used to determine the result. If you do this here and you go back to hiding the result on failed logins or lost password requests, you're really making the experience demonstrably worse for the average case. There is always a convenience/security trade off.
  3. melbo

    melbo Well-Known Member

    Yeah. I suppose that if I attempted to register an email and I didn't receive a confirmation email I could assume that an account was registered to that email. No way around it then.

    Email confirmation by itself is already a hurdle that an average user must overcome to finalize the account.
  4. Newt

    Newt Active Member

    By the way, what happens when somebody using a banned domain (set in ACP or via some antispam API) as their social media account email and uses that account to register to the site?
    MMAcomm likes this.

Share This Page