Security: wrong login reveals registered users

  • Resolved nils235

    (@nils235)


    2 years, 11 months ago

    Hey there,

    you can see if a user with a given email address has an account when you try to reset your password with that address. It says “user does not exist” which is not really best security practice… – Any chance to change that?

    I could edit the translation to “yea, I send you an email, no worries!”, but there will still be a revaling error message with that…

    Any ideas?

    Thanks in advance!

    nils

Viewing 3 replies - 16 through 18 (of 18 total)
  • Plugin Contributor Champ Camba

    (@champsupertramp)

    Hi @nils235

    We didn’t add that option. It has been merged to the core as default. In the changelog, it’s this line "Updated: Form errors texts on the login/password reset forms. Made them secure." for this issue.

    Regards,

    Thread Starter nils235

    (@nils235)

    Ah, I see, thanks for the heads-up! – The discription makes perfect sense (if you haven’t been waiting for a new options dialogue). ??

    Thanks!

    nils

    Plugin Contributor Champ Camba

    (@champsupertramp)

    Thanks for letting us know.

    Regards,

Viewing 3 replies - 16 through 18 (of 18 total)
  • The topic ‘Security: wrong login reveals registered users’ is closed to new replies.