Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

As the article notes, you can trivially get around that "privacy feature" by trying to sign up with the email. If it lets you sign up there was nobody there, if it does not the email is being used by somebody else. Most sites will reject you immediately if the email is already in the system.

> RFC 7231[0] suggests something similar

Well no, RFC 7231 suggests that rather than telling an authenticated user he does not have access to a resource you can tell him the resource does not exist at all. It has nothing to do with the authentication itself, and certainly isn't suggested (let alone recommended) as a response to an invalid authentication attempt.

> valid credentials that are not adequate to gain access

How does a clear statement that the user's credentials are valid but don't give access to a resource have any relation with the rest of your comment?



If it matters, you can make it non-trivial. As with most privacy attacks, you can target an individual pretty easily.

But, if you're trolling for lots of users, the "new account" feature will have a much lower operational tempo than the authentication workflow, and for a privacy conscious organization, you can do things to make it harder for attackers. Examples: Captcha, data input validation, risk scoring, don't provide immediate confirmation, etc.

Revealing that the email address is a valid system account isn't a particularly useful piece of information to a user who isn't remembering a password. john.smith100000@gmail.com is probably taken by another John Smith. It just isn't a useful piece of information.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: