Opened 5 weeks ago
Last modified 2 weeks ago
#63125 new enhancement
Let hidden if an email address is registered on the website
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | trunk |
| Component: | Login and Registration | Keywords: | |
| Focuses: | Cc: |
Description
Hi,
The password recovery method expected for WordPress allows a malicious user to know if an email address is registered on the website.
Infact if you use the password lost feature, if you enter a non existent email address the error is "Error: There is no account with that username or email address"... so you could tests an amount of email addresses and discover which one is registered on the website.
In my opinion it could be better to have in every condition a generic message like "If the entered email address is on our database you will recive an email with the instructions to reset your password".
Eventually I might take care of this enhancement.
Thanks :)
P.S. This is also related to the paragraph "Why did I get this “Password Reset” email?" on https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/
Change History (4)
#2
in reply to:
↑ 1
@
5 weeks ago
Replying to r3n0:
Hi!
Sure, an already registered email would recive, also registering, the lost password link.
Huge databases exist, but this is not only for bruting force. It's also, in my opinion, a privacy leak. If I know your email and I wanna check if you're registered on that site I can.
Don't just think on WordPress as a blog, think if it's a WooCommerce online pharmacy, I could know if you buyed something on that ecommerce... just as an example.
This ticket was mentioned in Slack in #core-privacy by joemcgill. View the logs.
5 weeks ago
#4
@
2 weeks ago
related #62960
You can also check for registered users via REST API like that: https://wordpress.org/wp-json/wp/v2/users
The information you get is considered as 'public'
In that case the REST API access can be disabled but is enabled by default.
Hi there,
There is similar functionality if account registration is enabled on the website. You go through the email value without entering the desired username. Due to a partially filled form, registration doesn't occur, but you see whether the email is registered in the system or not. In any way, you need a huge database to iterate over email values, and the final goal looks pretty questionable.