You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Sign Up, Log In, and Forgot Password pages use non-generic error messages in certain cases (documented in further detail below). These error messages can be used by attackers to enumerate a list of valid user email addresses, which they can then use to perform bruteforcing, password guessing, credential stuffing, etc. to take over user accounts.
These error messages should be changed so that they do not reveal whether an account with that email address already exists.
Screens affected:
Sign Up
Current: Register using an email address that is already registered to another account → the error message in the screenshot below is displayed
Ideal: Change the message to the same message used for successful account creation (A confirmation message was sent to your email, click the link there to continue). In the actual email, you can reveal to the user that there is already an existing account registered to their email address.
Log In
Current: Log in using an email address that you registered with but have not yet clicked the link in the confirmation email → the error message in the screenshot below is displayed
Ideal: Change the message to the same generic message used for invalid password and non-existing user (No user found with that email, or password invalid)
Forgot Password
Current: Enter an unregistered email address → the error message in the screenshot below is displayed
Ideal: Change the message to the same message used for the success case (We've sent a recovery email to your account, follow the link there to reset your password). In the actual email, you can reveal to the user that there is no account registered to their email address.
The text was updated successfully, but these errors were encountered:
The Sign Up, Log In, and Forgot Password pages use non-generic error messages in certain cases (documented in further detail below). These error messages can be used by attackers to enumerate a list of valid user email addresses, which they can then use to perform bruteforcing, password guessing, credential stuffing, etc. to take over user accounts.
These error messages should be changed so that they do not reveal whether an account with that email address already exists.
Screens affected:
Sign Up
A confirmation message was sent to your email, click the link there to continue). In the actual email, you can reveal to the user that there is already an existing account registered to their email address.Log In
No user found with that email, or password invalid)Forgot Password
We've sent a recovery email to your account, follow the link there to reset your password). In the actual email, you can reveal to the user that there is no account registered to their email address.The text was updated successfully, but these errors were encountered: