Defect #25144
closed
Account Harvesting login issue
0%
Description
Hi
Can I change the "Unknown user" error message to something else in case of lost_password promt.
Dulicating my query:
1. Go to the application login page and click on the Lost Password link.
2. Type an in invalid email and click on the Submit button.
3. Finally you will get a message saying Unknown user. With message this you can setup a script to
distinguish valid accounts from the invalid ones.
Recommendation
An application should respond with a generic error message regardless of whether the user ID or password was
incorrect. It should also give no indication to the status of an existing account.
Send an authentication token to the users email in order to prompt the security questions.
Related issues
Updated by Go MAEDA about 7 years ago
- Is duplicate of Defect #6254: Remove "Unknown user" notification on password request with non-existent email address added
Updated by Go MAEDA about 7 years ago
- Category set to Accounts / authentication
- Status changed from New to Closed
- Resolution set to Duplicate
I found that it has been already reported as #6254.
Thank you for reporting.