Title Email address revealed to unauthenticated user
Priority bug Status resolved
Superseder Nosy List ezio.melotti, loewis, weeble
Assigned To ezio.melotti Topics

Created on 2011-11-28.11:36:15 by weeble, last changed 2012-05-22.00:37:23 by ezio.melotti.

msg2314 (view) Author: weeble Date: 2011-11-28.11:36:15
Click on "lost your login". Enter any username and submit. The following page reports the email address that is associated with that account.

I would not expect the email address to be revealed by this action.
msg2315 (view) Author: ezio.melotti Date: 2011-11-29.03:58:32
FWIW this has been already reported upstream:
msg2316 (view) Author: loewis Date: 2011-11-29.21:09:01
I think some indication must be given to a legitimate user, as the user otherwise may not recall what email account to check. In the specific case of, it may, in particular, be a sourceforge address.

If people are worried that users massively read out email addresses from the bug tracker, I'd rather rate-limit password reset operations by IP address, to one reset per hour. 

If users use this to research a specific email address of a specific user account, I'd rather not stop them from doing so. People who are too worried about revealing their email address should arrange to use a separate address for places such as the bug tracker.
msg2498 (view) Author: ezio.melotti Date: 2012-05-22.00:37:23
Since the issue has been reported upstream already, I'm going to close this.
Date User Action Args
2012-05-22 00:37:23ezio.melottisetstatus: chatting -> resolved
assignedto: ezio.melotti
messages: + msg2498
2011-11-29 21:09:01loewissetnosy: + loewis
messages: + msg2316
2011-11-29 03:58:32ezio.melottisetstatus: unread -> chatting
nosy: + ezio.melotti
messages: + msg2315
2011-11-28 11:36:15weeblecreate