-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Nonexistent account disclosure #28
Comments
AngelList's password recovery:
|
MailChimp blog post about differentiating for usability due to the aforementioned hole: http://blog.mailchimp.com/social-login-buttons-arent-worth-it/ |
Bountysource discloses account existence before you even submit the form. |
Maybe |
And, of course, it's possible to flub this without realizing: http://fusion.net/story/169808/ashley-madison-was-never-completely-discreet/ - perhaps there should be an "inadvertently-disclosed" value (misdisclosed?). |
https://porkbun.com/account/forgot reveals an account's presence. |
The real spec work for accommodating this needs to be taking forthcompat with #125 into account, which is why the schema work is currently happening over there. |
Is trying to log in with a nonexistent account distinguished from trying to log in with the wrong password? Does the password recovery form tell you whether or not a user with that account exists?
These are things that can potentially be considered leaks (and if one does it, the other should too): if they're not considered a major leak, they should both be differentiated for usability.
Only distinguishing one is a red flag.
The text was updated successfully, but these errors were encountered: