Re: Reset password : if the unregistered email address entered then also giving success message. #cf #uaa


Jonathan Matthews
 

Hey Shilpa,

I wouldn’t be surprised to find this is intentional. 

If this didn’t happen, then it would be possible for an attacker to try submitting many addresses, and then receive confirmation of which of them were related to accounts on the service/system.

I also wouldn’t be surprised to find that the service had an option to disable this behaviour in trusted environments, but I’ve no insight into that - I’m just mentioning that’s it’s /possible/ :-)

HTH,
J

On Sun, 14 Jun 2020 at 16:59, shilpa kulkarni <shilpakulkarni91@...> wrote:
Hi,
 
If I pass email id (which is not registered)for reset password link  then it should give error message but it is giving success message only. I am not getting where to change that code.
Can anyone please provide solution for this?
 
Thanks & Regards
Shilpa

--
Jonathan Matthews
London, UK
https://jpluscplusm.com

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.