ENXF NET
Administrator
Staff member
Administrator
Moderator
+Lifetime VIP+
S.V.I.P.S Member
S.V.I.P Member
V.I.P Member
Collaborate
Registered
- Joined
- Nov 13, 2018
- Messages
- 24,649
- Points
- 823
When requesting a password reset, the message for a valid email address is different from an invalid email address.
This can be exploited by a bad actor to harvest mail addresses.
Maybe change both messages to the same "If this mailaddress is known, an email is being sent to you" (or something)?
(Not only changing phrases solves this problem because the specific page after a sent request is different for valid and invalid addresses.)
Continue reading...
This can be exploited by a bad actor to harvest mail addresses.
Maybe change both messages to the same "If this mailaddress is known, an email is being sent to you" (or something)?
(Not only changing phrases solves this problem because the specific page after a sent request is different for valid and invalid addresses.)
Continue reading...