958551 - password recovery yields active email addresses

Status: RESOLVED DUPLICATE of bug 878035

(Bugzilla :: User Accounts, defect)

Description

[heinrichmartin]

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:26.0) Gecko/20100101 Firefox/26.0 (Beta/Release)
Build ID: 20131205075310

Steps to reproduce:

use the password recovery feature, i.e. enter a registered / not registered email address


Actual results:

the response tells the user whether the email address is registered as a user account - this yields active email addresses


Expected results:

always give conditional positive feedback: "Please check your inbox! We've sent a recovery email, if the email address is associated with a user account." or the-like ...

Related, but not identical Bug 399010.
Applies today's version of bugzilla.mozilla.org.

Comment 1

[Gervase Markham [:gerv]]

I've seen lots of sites recently which choose helpfulness over avoiding email-harvesting here - and, to be honest, I love it. I have several email addresses, and being able to work out which one I signed up with is a real blessing.

Spammers aren't going to bother to validate a pile of email addresses they have, they are just going to spam them and ignore the bounces.

Gerv

Comment 2

[Reed Loden [:reed]]

Agree with Gerv. I, too, have converted my stance on this issue, and I no longer believe positively acknowledging an e-mail address is registered is a true security issue, especially when you can get the same information from the registration page.

Comment 3

[Frédéric Buclin]

You are a bit behind. This has already been fixed in Bugzilla 5.0.

Comment 4

[heinrichmartin]

sorry, got the wrong wording and did not find the duplicate.