FWIW, for me the question here is why isn't Django applying the same protection agains enumeration attacks on sign-up pages?
On Thursday, 9 January 2020 02:08:16 UTC+1, SANYAM MITTAL wrote: > > PasswordResetView returns a success message for emails not in database > also. > > *Problems Faced* > > 1. If the user is not Registered but strongly thinks they are > registered and have forgotten the password they would keep trying to get > Reset email. > 2. If they've typed a wrong email in PasswordResetForm. They would be > expecting a reset email with reset URL but wouldn't receive any mail nor > any Validation Error would be raised that wastes a lot of time of the User > > *Reference:* > > https://github.com/django/django/blob/0f843fdd5b9b2f2307148465cd60f4e1b2befbb4/django/contrib/auth/views.py#L208 > > As mentioned in documentation > https://docs.djangoproject.com/en/stable/topics/auth/default/#django.contrib.auth.views.PasswordResetView > > *This prevents information leaking to potential attackers* > > Although a potential attacker can easily get these information from > Sign-Up/Register page as *Validation error is raised when a Duplicate > Email Address* is entered during sign-up. > > If there's *not a Unique email Validation* during Sign-up there are > chances that multiple users get registered with same email (if user > mistakenly types someone else's email) and Password Reset email is sent > multiple times for different Users which is more risky. > > Facebook, Netflix and many more also raises a Validation Error when non > registered email is entered > > *Thanks for your time.* > > Sorry I don’t know the real necessity of not validating the email but this > really causes confusion and wastes the User’s precious time. > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/06dcb212-a2b9-4e9d-8bb7-a1cca36fc699%40googlegroups.com.
