Reset password : if the unregistered email address entered then also giving success message. #cf #uaa
Jonathan Matthews <contact+cfdev@...>
toggle quoted messageShow quoted text
I wouldn’t be surprised to find this is intentional.
If this didn’t happen, then it would be possible for an attacker to try submitting many addresses, and then receive confirmation of which of them were related to accounts on the service/system.
I also wouldn’t be surprised to find that the service had an option to disable this behaviour in trusted environments, but I’ve no insight into that - I’m just mentioning that’s it’s /possible/ :-)
On Sun, 14 Jun 2020 at 16:59, shilpa kulkarni <shilpakulkarni91@...> wrote:
If I pass email id (which is not registered)for reset password link then it should give error message but it is giving success message only. I am not getting where to change that code.
Can anyone please provide solution for this?
Thanks & Regards