Closed
Bug 958551
Opened 10 years ago
Closed 10 years ago
password recovery yields active email addresses
Categories
(Bugzilla :: User Accounts, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 878035
People
(Reporter: heinrichmartin, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:26.0) Gecko/20100101 Firefox/26.0 (Beta/Release) Build ID: 20131205075310 Steps to reproduce: use the password recovery feature, i.e. enter a registered / not registered email address Actual results: the response tells the user whether the email address is registered as a user account - this yields active email addresses Expected results: always give conditional positive feedback: "Please check your inbox! We've sent a recovery email, if the email address is associated with a user account." or the-like ... Related, but not identical Bug 399010. Applies today's version of bugzilla.mozilla.org.
Reporter | ||
Updated•10 years ago
|
Version: unspecified → 4.2.7
Comment 1•10 years ago
|
||
I've seen lots of sites recently which choose helpfulness over avoiding email-harvesting here - and, to be honest, I love it. I have several email addresses, and being able to work out which one I signed up with is a real blessing. Spammers aren't going to bother to validate a pile of email addresses they have, they are just going to spam them and ignore the bounces. Gerv
Comment 2•10 years ago
|
||
Agree with Gerv. I, too, have converted my stance on this issue, and I no longer believe positively acknowledging an e-mail address is registered is a true security issue, especially when you can get the same information from the registration page.
Group: bugzilla-security
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
Updated•10 years ago
|
Resolution: INVALID → WORKSFORME
Comment 3•10 years ago
|
||
You are a bit behind. This has already been fixed in Bugzilla 5.0.
Resolution: WORKSFORME → DUPLICATE
Reporter | ||
Comment 4•10 years ago
|
||
sorry, got the wrong wording and did not find the duplicate.
You need to log in
before you can comment on or make changes to this bug.
Description
•