Answer the question
In order to leave comments, you need to log in
How in the registration form not to allow to determine that the email exists?
The problem seems to be logical. There is a registration form, there are fields in it: 1)
E
-mail*
2) Full name
2) Password*
3) Password repeat*
4) Captcha*
*- required
". It can be used to determine that, in fact, the user is registered on this site, which can be compromising information or serve for hacking through social engineering.
Possible solution:
a) Display the same error as with an incorrectly passed captcha. Minus - if the user has forgotten that he has already registered on this site, then no hint is given.
b) Send an email asking you to reset your password. Minus - if you wish, you can spam mail. As an option, limit the sending of such a letter once a day to one email. But I don’t want to send extra letters, it’s better to decide at the form level.
How in this case and in what form to return the answer to the user?
Answer the question
In order to leave comments, you need to log in
Option a)
For example, facebook does this:
That is, a stupid mistake that requires the attacker to write to technical support, and there you should already understand for additional questions whether the owner of the specified data or the attacker is real. It is unlikely that the attacker will write to technical support.
You can’t just decide at the form level if you want to hint to the real owner of the account that he is already on the site - you are hinting to the attacker. I suppose you can do an additional check by IP, geolocation, user-agent of the one who is trying to check the mail, if at least something matches, then send a letter to the mail “maybe you tried to log in and could not, maybe they are trying to hack you.”
Well, you know that the user aaabbb123 is registered on the site - can you deduce a lot from this? This works only if you know the soap in advance (and you can check it in other ways - though also without a guarantee).
But if you display some kind of left error or say that the captcha is incorrect when it is correct, the right way is for the user to decide that something is wrong with the site and go to the forest. Now there are not so many unique services that could afford to scatter with users like this ...
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question