forked from pallets-eco/flask-security
-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
User enumeration at login #34
Comments
@krahser one can change the messages to be equal so the immediate thread is eliminated. |
IMHO it's not just the message, it's also the position in the DOM where the message is rendered. |
@krahser then we should change the field validator to form validator. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
How do you see the idea of unify the messages USER_DOES_NOT_EXIST and INVALID_PASSWORD?
If they are split or in a different position somebody could do a User Enumeration.
Testing for User Enumeration and Guessable User Account
The text was updated successfully, but these errors were encountered: