mattly, “we can’t leak if there’s an account associated with the email address, that’s why the error message is so vague!”
> You’re already leaking that information
"What?"
> You have open signups, right?
"yes..."
> And you only allow one account per email address right?
“yes…. I’m not following you”
> OK so what happens if I go try to signup for an account with an email address already in your system?
"Well you can’t do that obviously”
> What does it tell the person on the web page?
“it… oh”
Add comment