You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, when a user attempts to reset their password using an email address that does not exist in the system, the application displays the message:
"We can't find a user with that email address."
This response exposes whether a user exists in the system, creating a potential security vulnerability by enabling user enumeration.
Proposed Solution
Update the password reset flow to treat all attempts as a "success journey" regardless of whether the email address exists in the system. The response message should be generic and not disclose the existence of the user.
For example:
"If an account with this email exists, a password reset link has been sent."
Expected Outcome
The password reset flow no longer exposes whether an email address exists in the system, aligning with best practices for security.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Problem
Currently, when a user attempts to reset their password using an email address that does not exist in the system, the application displays the message:
"We can't find a user with that email address."
This response exposes whether a user exists in the system, creating a potential security vulnerability by enabling user enumeration.
Proposed Solution
Update the password reset flow to treat all attempts as a "success journey" regardless of whether the email address exists in the system. The response message should be generic and not disclose the existence of the user.
For example:
"If an account with this email exists, a password reset link has been sent."
Expected Outcome
The password reset flow no longer exposes whether an email address exists in the system, aligning with best practices for security.
Beta Was this translation helpful? Give feedback.
All reactions