Forum² Admin AWS Posted Thursday at 06:51 Forum² Admin Posted Thursday at 06:51 Background Under the current default settings, when signing up for an account with an e-mail that has already been registered, the sign-up form will inform of that: We are changing the default setting to not give away this information. Instead, the sign-up form will look like this, regardless of whether the e-mail is already registered or not: This also affects password resets in similar ways. With the setting disabled, the form provides immediate feedback that the e-mail is in the system: With the setting enabled it does not disclose that information: Why are we changing it? A malicious actor can use this feedback to perform an account enumeration, letting them know whether certain users exist on this forum, which can then let them target those users with phishing. Won’t this affect legitimate users negatively? The case here is if a user forgot that they already have an account, and they try to sign up or reset password using the same e-mail, which should be a relatively rare occurrence. But even then, they will just receive an e-mail letting them know they already have an account. The change ultimately does not affect legitimate users’ ability to sign up or access their accounts. But I prefer the old default If you have changed this setting at any point, the new default will not override the custom setting. If you want to change back to the old default, you can set the hide_email_address_taken setting back to false. Note: we are considering hiding this site setting from the admin settings page in the future. 1 post - 1 participant Read full topic Quote IPB Webmaster - For Invision Community Enthusiasts - SEO Help Forum
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.