On the /forgot_password page, after having submitted the email address to which the reinitialisation link should be sent, a message informs the user that, if the user exists, s/he will receive an e-mail. However, the way this message is displayed depends on whether the user is or not in the database:
if the user is in the database, the message appears on a dark orange background at the top of the window;
if the user is not in the database, the message appears as an error message (in red in a pink background), at the bottom of the window.
This behaviour could create a security risk, because it enables the clever attacker to identify what e-mail addresses are registered.
Desired state
The message informing the user that, if the e-mail address is in the database, it will receive a message, should be displayed the same way, whether the e-mail address is or not in the database.
Current state
On the
/forgot_passwordpage, after having submitted the email address to which the reinitialisation link should be sent, a message informs the user that, if the user exists, s/he will receive an e-mail. However, the way this message is displayed depends on whether the user is or not in the database:This behaviour could create a security risk, because it enables the clever attacker to identify what e-mail addresses are registered.
Desired state
The message informing the user that, if the e-mail address is in the database, it will receive a message, should be displayed the same way, whether the e-mail address is or not in the database.