If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

create account provides too much information to potential malicious users

NEW
Unassigned

Status

()

bugzilla.mozilla.org
General
--
enhancement
9 months ago
9 months ago

People

(Reporter: emceeaich, Unassigned)

Tracking

(Depends on: 1 bug, {sec-low})

Production
sec-low

Details

(Whiteboard: [infrasec:bestpractice][ws:low][wh-5888746][wh-6174306][wh-6174346][wh-6201636])

+++ This bug was initially created as a clone of Bug #670887 +++

issue:
-------
when a user attempts to create an account an email is sent.  This email is different depending on if the email address has been used or not.  If it has, the email says "this email is already in use".  This could give useful information to an attacker in order to brute for accounts.

recommended remediation
-----------------------
use generic messages in email. 

Example: "Instructions regarding registering an account have been sent to your email address."
Marking as 'blocks bug 670887' since a decision is needed on the BMO side before it can be considered for upstream inclusion; if y'all choose to implement this, please consider reopening 670887 with a patch proposal for upstream.
Blocks: 670887
No longer blocks: 670887
Depends on: 670887
You need to log in before you can comment on or make changes to this bug.