+++ This bug was initially created as a clone of Bug #670887 +++ issue: ------- when a user attempts to create an account an email is sent. This email is different depending on if the email address has been used or not. If it has, the email says "this email is already in use". This could give useful information to an attacker in order to brute for accounts. recommended remediation ----------------------- use generic messages in email. Example: "Instructions regarding registering an account have been sent to your email address."
Marking as 'blocks bug 670887' since a decision is needed on the BMO side before it can be considered for upstream inclusion; if y'all choose to implement this, please consider reopening 670887 with a patch proposal for upstream.