-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mitigate the risk of information leakage through sign-up forms #507
Comments
Relates to: #306 |
Option 3: Do not register the user until the email has been validated.
|
Hi @da2ce7 I think that is what the program does when |
I would do the following:
I also think it could do some more research on this topic and see how other apps implements it. |
When you use an email that has already been used by another user you get a message like this:
That allows users to easily check is a user with a given email is registered. Although this is very common behavior in a lot of online services, for example, LinkedIn:
I think we should try to mitigate it.
Proposal 1
Add a captcha and/or a rate limit (IP) to the registration form to at least make it harder to automatize checking a list of emails.
Proposal 2
email_on_signup
. The email would be always optional.email_verification_enabled
option is enabled. The user's email is not used for anything else.Both proposals are compatible.
cc @torrust/torrustaceans
The text was updated successfully, but these errors were encountered: