Bug #20911: (case: forgot email) ->Mail sent to persons in any case, even if they are not registered! - TYPO3 Core - TYPO3 Forge

Custom queries

Accessibility
Easy tasks
Forge Triage
JavaScript issues
JavaScript Issues (w/o Epics/Stories)
My open issues
No feedback within 90 days
Open Bugs
Open issues of 10
Recently modified
Regressions
Stabilization Issues
Usability or UX

Actions

Copy link

Bug #20911

closed

(case: forgot email) ->Mail sent to persons in any case, even if they are not registered!

Added by Marcel Fitzner over 15 years ago. Updated almost 13 years ago.

Status:

Rejected

Priority:

Should have

Assignee:

Category:

felogin

Target version:

Start date:

2009-08-21

Due date:

% Done:

Estimated time:

TYPO3 Version:

4.7

PHP Version:

Tags:

Complexity:

Is Regression:

Sprint Focus:

Description

If users enter wrong email-adress (or even abuse the forgot password form),
an email is sent without checking if the user has ever been registered under the entered email-adress.

Selbiges Problem gab es schon bei newloginbox..
(issue imported from #M11765)

Related issues 2 (0 open — 2 closed)

Related to TYPO3 Core - Bug #23199: Forgot password for non existant users

Closed

2010-07-15

Actions

Has duplicate TYPO3 Core - Bug #21277: Danger for misusing forgot password function for spamming mailboxes

Closed

Christian Kuhn

2009-10-15

Actions

Issue # Delay: days Cancel

History
Notes
Property changes

Actions

Copy link

Updated by Chris topher over 15 years ago

If the form told the user that the e-mail-address he entered is not registered, this would open a way of guessing registered e-mail-addresses.

If it would not send out an e-mail without any notice, a user who has registered himself at the website, but perhaps with another e-mail-adress, would think, that the send-password-function does not work at all.

That's the problem...
Do you have an idea to solve that?

Actions

Copy link

Updated by Marcel Fitzner about 15 years ago

Indeed. Such a case would be solved in a better way by the FE-plugin showing that the entered email-adress had not been registered and therefor no mail has been sent,
so the user would be able to try another email-adress. By this an unnecessarily sent mail could be spared.

Actions

Copy link

Updated by Chris topher about 15 years ago

As I already wrote: This will open a way of guessing registered e-mail-addresses.
The way you propose to do it the information whether a certain e-mail-address is registered or not is disclosed to the public.
The fact that an address is registered at a website may be regarded as confidential by some users.
For them it will not be acceptable to see this information available in the public that way.

Actions

Copy link

Updated by Marcel Fitzner about 15 years ago

Ah yes, sorry..

Maybe just a simple request would help, if the entered email-adress is correct.

The user can then agree, in order to get the new password,
or, simply, go back back to the previous form,
in order to show the input field for the email-adress.

So there wouldn't be a possibility to check, if the email-adress is registered.

But at least, the user can be indicated, that he should review his input, in order to possibly correct typing errors..

...and besides that he feels, that an email will be sent to the given adress, in any case...[if wrong, then without pw of course]...

Actions

Copy link