Django-allauth: Password Reset form exposes registered E-Mails

Created on 14 Aug 2019  路  2Comments  路  Source: pennersr/django-allauth

The current reset form tells you if an address does not exist which is problematic if you are using your E-Mail to log in. By default you should get a message that an E-Mail was sent to that address regardless if the user exists or doesn't.

Would you be open for accepting a pull request for this issue?

Most helpful comment

I was about to create the same issue, so I will contribute with the OWASP guide which proposes a correct response:

If that email address is in our database, we will send you an email to reset your password

All 2 comments

I was about to create the same issue, so I will contribute with the OWASP guide which proposes a correct response:

If that email address is in our database, we will send you an email to reset your password

This does not address the whole story. Closing -- #1307 is tracking these issues.

Was this page helpful?
0 / 5 - 0 ratings