Currently emails can be leaked by requesting a password reset. It is possible to throw emails at the software and see which emails have accounts and which ones don’t, without having access to said emails. This is extremely dangerous.

Ne divulguez pas les e-mails lors de la réinitialisation du mot de passe

awesomerobot (Kris) Janvier 14, 2021, 9:44 2

This is not a bug. We have a site setting called hide email address taken that prevents it.

There are also rate-limits on sign in so it’s not particularly easy to brute force large numbers of email addresses.

5 « J'aime »

Email enumeration vulnerability on "Password Reset" dialogue

Sujet		Réponses	Vues
Email enumeration vulnerability on "Password Reset" dialogue UX	19	3743	Décembre 19, 2024
Hiding "e-mail taken" on sign-up by default Announcements	6	194	Décembre 22, 2024
Password reset confirm message should discourage social engineering Feature	7	1530	Août 4, 2023
Received password reset email though I didn’t request one? Support	15	5625	Novembre 28, 2023
Different password reset for wrong username/email Feature	65	27809	Août 4, 2023