carlashworth
commented
11 months ago All valid email addresses now just return "an email was sent to "email address" thus providing no user enumeration issues. This is included by default in flask-security-too so the fix was a one-liner, instead of creating our own custom form. Adding custom text would be more difficult, but this seems to work for now.
Not an actual GDPR violation so low priority but we should fix this because it's bad security practice...
When you click forgot password and the email doesn't exist we say "Specified user does not exist". This reveals who is signed up to the portal.
Something like "Thank you for your request. If the submitted email exists, you will receive an email shortly." would be better.