Defect #6254

Remove 'invalid user' notification on password request with invalid e-mailadress

Added by Aron Rotteveel over 7 years ago. Updated 10 months ago.

Status:NewStart date:2010-08-31
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Accounts / authentication
Target version:-
Resolution: Affected version:

Description

Currently, it is possible to retrieve valid e-mailaddreses from the system by simply trying to request a password for it. If the emailaddress is not valid, Redmine will show a notification stating this.

It would be better to have this form output a success message in every scenario in order to make e-mail harvesting harder.


Related issues

Duplicated by Redmine - Defect #25144: Account Harvesting login issue Closed

History

#1 Updated by Go MAEDA 10 months ago

  • Duplicated by Defect #25144: Account Harvesting login issue added

#2 Updated by Go MAEDA 10 months ago

source:tags/3.3.2/config/locales/en.yml#L153:

  notice_account_unknown_email: Unknown user.

#3 Updated by Go MAEDA 10 months ago

Aron Rotteveel wrote:

It would be better to have this form output a success message in every scenario in order to make e-mail harvesting harder.

I completely agree. Redmine should always display notice_account_lost_email_sent ("An email with instructions to choose a new password has been sent to you.").

Also available in: Atom PDF