Project

General

Profile

Actions

Defect #25144

closed

Account Harvesting login issue

Added by ajeesh b almost 8 years ago. Updated almost 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Accounts / authentication
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Duplicate
Affected version:

Description

Hi

Can I change the "Unknown user" error message to something else in case of lost_password promt.

Dulicating my query:
1. Go to the application login page and click on the Lost Password link.
2. Type an in invalid email and click on the Submit button.
3. Finally you will get a message saying Unknown user. With message this you can setup a script to
distinguish valid accounts from the invalid ones.
Recommendation
An application should respond with a generic error message regardless of whether the user ID or password was
incorrect. It should also give no indication to the status of an existing account.
Send an authentication token to the users email in order to prompt the security questions.


Related issues

Is duplicate of Redmine - Defect #6254: Remove "Unknown user" notification on password request with non-existent email addressClosedGo MAEDA

Actions
Actions #1

Updated by Go MAEDA almost 8 years ago

  • Is duplicate of Defect #6254: Remove "Unknown user" notification on password request with non-existent email address added
Actions #2

Updated by Go MAEDA almost 8 years ago

  • Category set to Accounts / authentication
  • Status changed from New to Closed
  • Resolution set to Duplicate

I found that it has been already reported as #6254.
Thank you for reporting.

Actions

Also available in: Atom PDF