Bug report: “The ‘reset password’ form doesn’t show an error if you try to reset an account that doesn’t exist.”
Me: “That would be a security risk. Closed.”
Them: “What? How? You have to click the link in the email before it does anything.”
Me: “Try putting in a bogus email on the login screen. See how it says ‘wrong email/password combination’, and not ‘no such account’? If we tell the user whether we recognize a given email, we’re basically providing attackers a list of users they can try passwords for.”
Had a convo with someone a while back:
Bug report: “The ‘reset password’ form doesn’t show an error if you try to reset an account that doesn’t exist.”
Me: “That would be a security risk. Closed.”
Them: “What? How? You have to click the link in the email before it does anything.”
Me: “Try putting in a bogus email on the login screen. See how it says ‘wrong email/password combination’, and not ‘no such account’? If we tell the user whether we recognize a given email, we’re basically providing attackers a list of users they can try passwords for.”