How to prevent password reset from disclosing private email addresses?

by brett   Last Updated October 12, 2019 22:10 PM - source

The "Forgot your password?" password reset form in Joomla 3.x can disclose that an email address is registered with the site. This is a personal privacy violation which is illegal under some privacy laws.

The problem is that the core Joomla function reports two different messages and formats:

  1. "Reset password failed: Invalid email address" when a
    non-registered address is entered into the reset form, and
  2. "An email has been sent to your email address. The email has a verification code, please paste the verification code in the field below to prove that you are the owner of this account." when a registered address is entered.

A third party can therefore determine that any email address is registered to and is associated with the site. Email addresses are commonly widely known, and in many cases are in the form [email protected]

Can this be corrected with an override, to return the #2 response above regardless of the not/registered status of the email address entered?

If not, what core file(s) need to be changed?

I am not mentioning Username here because I am using a plugin which allows authentication by email address and password instead of Username and password.

Please note! If you are unfamiliar with these specific responses, they are different. #1 is text that appears in a Joomla error box. #2 appears as text at the top of the form. This disclosure problem is not solved by a language file override making the text identical.

Tags : joomla-3.x login

Related Questions

Login form with three fields

Updated April 14, 2016 08:04 AM

GPO from another PC thru LAN

Updated November 08, 2016 08:04 AM

How to login via url

Updated October 23, 2018 15:10 PM

Multiple mod_login styles

Updated April 01, 2019 21:10 PM