W3C home > Mailing lists > Public > site-comments@w3.org > January 2021

information leak in password recovery interface

From: C. M. Sperberg-McQueen <cmsmcq@blackmesatech.com>
Date: Thu, 28 Jan 2021 09:11:24 -0700
Message-Id: <A4098279-7185-438D-A24D-A2AE3ACBEF71@blackmesatech.com>
Cc: "C. M. Sperberg-McQueen" <cmsmcq@blackmesatech.com>
To: site-comments@w3.org
I notice that when I put the wrong email address into the password recovery
form at [1], I get a message saying "No user account with that email address found”.

Is it good practice to reveal to an unauthenticated individual whether an
arbitrary email address is or is not affiliated with a W3C login ID?  I thought
I had read that security experts recommended that systems not make it
possible to discover whether a given account name does or does not exist
(a bit like psychiatrists who not only decline to confirm that so-and-so is
one of their patients, but also decline to confirm that so-and-so is *not*
one of their patients).


Michael Sperberg-McQueen

[1] https://www.w3.org/accounts/recover

C. M. Sperberg-McQueen
Black Mesa Technologies LLC
Received on Thursday, 28 January 2021 16:11:44 UTC

This archive was generated by hypermail 2.4.0 : Monday, 18 April 2022 20:33:56 UTC