You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
bugSomething isn't workingfixedThe issue has been resolved and ready for testingreleasedThe issue has been releasedtestedThe issue has passed testing and ready to realese
At the signup page a msg box says The email xxx@yyy.zzz is already in use.
The problem is that any used email gets the same error message. while when you enter any other e-mail regardless of whether it is fake or not & valid or not it gets accepted. which means any Email (could be fake) is valid except registered emails in the database. So an attacker can compare both responses (success & failure) and enumerate users' emails on a large scale.
Impact
Brute force attack at large scale may disclose users' email.
Mitigation
A better security practice is simply saying that you sent a link to the e-mail no matter if they have an account already or not. If they have already registered and another process is done, the Email message must say that someone tried to signup with that Email address, if that is you please log in
The text was updated successfully, but these errors were encountered:
This issue has been resolved.
The resolution has also been extended to when a user attempts to change their email address, under their Profile >> Account page.
See below an example of the email received by the user when someone attempts registering using their email. A special THANKS again to Kunal Mhaske for the contribution and collaboration.
bugSomething isn't workingfixedThe issue has been resolved and ready for testingreleasedThe issue has been releasedtestedThe issue has passed testing and ready to realese
Notice
The identification and proposed resolution of this issue has been kindly provided by Kunal Mhaske and this ticket has been logged on his behalf.
Vulnerability Name
Email enumeration at the SignUp page
Vulnerable URL
https://topsecret.chat/app/signup/signup.html
Description
At the signup page a msg box says
The email xxx@yyy.zzz is already in use.
The problem is that any used email gets the same error message. while when you enter any other e-mail regardless of whether it is fake or not & valid or not it gets accepted. which means any Email (could be fake) is valid except registered emails in the database. So an attacker can compare both responses (success & failure) and enumerate users' emails on a large scale.
Impact
Brute force attack at large scale may disclose users' email.
Mitigation
A better security practice is simply saying that you sent a link to the e-mail no matter if they have an account already or not. If they have already registered and another process is done, the Email message must say that
someone tried to signup with that Email address, if that is you please log in
The text was updated successfully, but these errors were encountered: