Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
F
F
fomiash2021-05-20 12:43:43
Data protection
fomiash, 2021-05-20 12:43:43

How in the registration form not to allow to determine that the email exists?

The problem seems to be logical. There is a registration form, there are fields in it: 1) E
-mail*
2) Full name
2) Password*
3) Password repeat*
4) Captcha*
*- required

". It can be used to determine that, in fact, the user is registered on this site, which can be compromising information or serve for hacking through social engineering.
Possible solution:
a) Display the same error as with an incorrectly passed captcha. Minus - if the user has forgotten that he has already registered on this site, then no hint is given.
b) Send an email asking you to reset your password. Minus - if you wish, you can spam mail. As an option, limit the sending of such a letter once a day to one email. But I don’t want to send extra letters, it’s better to decide at the form level.

How in this case and in what form to return the answer to the user?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
U
Uncle Seryozha, 2021-05-30
@Protos

Option a)
For example, facebook does this:
60b2ff59e809f209050389.png
That is, a stupid mistake that requires the attacker to write to technical support, and there you should already understand for additional questions whether the owner of the specified data or the attacker is real. It is unlikely that the attacker will write to technical support.
You can’t just decide at the form level if you want to hint to the real owner of the account that he is already on the site - you are hinting to the attacker. I suppose you can do an additional check by IP, geolocation, user-agent of the one who is trying to check the mail, if at least something matches, then send a letter to the mail “maybe you tried to log in and could not, maybe they are trying to hack you.”

Report
C
CityCat4, 2021-05-20
@CityCat4

Well, you know that the user aaabbb123 is registered on the site - can you deduce a lot from this? This works only if you know the soap in advance (and you can check it in other ways - though also without a guarantee).
But if you display some kind of left error or say that the captcha is incorrect when it is correct, the right way is for the user to decide that something is wrong with the site and go to the forest. Now there are not so many unique services that could afford to scatter with users like this ...

Similar questions
M
Max Maximov2016-06-09 15:06:33
How to implement a USB dongle protection for software? 3Reply
A
Artyom2020-10-02 19:37:07
How secure are forms in Wordpress? 1Reply
T
Tikot2016-07-21 15:13:24
How to choose the topic of scientific work on information security? 3Reply
V
Veritas232018-12-23 16:49:18
How to reduce the chance of recovering deleted data? 1Reply
B
buksttabu2016-09-20 06:56:38
Order of the Ministry of Telecom and Mass Communications No. 221, which EDMS satisfy? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question