[wp-trac] [WordPress Trac] #40667: Password reset screen allows validity (or otherwise) of the provided email
WordPress Trac
noreply at wordpress.org
Thu May 4 15:46:32 UTC 2017
#40667: Password reset screen allows validity (or otherwise) of the provided email
----------------------------+-----------------------------
Reporter: dartiss | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: trunk
Severity: normal | Keywords:
Focuses: administration |
----------------------------+-----------------------------
When clicking on 'Lost your password' during login, you are then prompted
to enter a user name or email address. Entering one that is invalid will
produce the messages...
ERROR: Invalid username or email.
or
ERROR: There is no user registered with that email address.
Depending on whether a user name or password, respectively, was provided.
An attacker could use this information to fish for user name or emails.
This has been quite normal for sites in the past to do but more and more
now give a generic 'if that information is valid, we'll send you a
password reset email' instead. For the purposes of heightened security, I
believe this should be implemented.
I have looked for duplicates of this already recorded on Trac and haven't
found anything - apologies if this is not the case.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/40667>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list