Defect #25144

Account Harvesting login issue

Added by ajeesh b almost 6 years ago. Updated almost 6 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Accounts / authentication
Target version:-
Resolution:Duplicate Affected version:

Description

Hi

Can I change the "Unknown user" error message to something else in case of lost_password promt.

Dulicating my query:
1. Go to the application login page and click on the Lost Password link.
2. Type an in invalid email and click on the Submit button.
3. Finally you will get a message saying Unknown user. With message this you can setup a script to
distinguish valid accounts from the invalid ones.
Recommendation
An application should respond with a generic error message regardless of whether the user ID or password was
incorrect. It should also give no indication to the status of an existing account.
Send an authentication token to the users email in order to prompt the security questions.


Related issues

Duplicates Redmine - Defect #6254: Remove 'invalid user' notification on password request wi... New 2010-08-31

History

#1 Updated by Go MAEDA almost 6 years ago

  • Duplicates Defect #6254: Remove 'invalid user' notification on password request with invalid e-mailadress added

#2 Updated by Go MAEDA almost 6 years ago

  • Category set to Accounts / authentication
  • Status changed from New to Closed
  • Resolution set to Duplicate

I found that it has been already reported as #6254.
Thank you for reporting.

Also available in: Atom PDF