On 'Request new password' form (
/user/password), you get the following message if you enter a unused mail address or username:
Sorry, firstname.lastname@example.org is not recognized as a user name or an e-mail address.
If you enter a used mail address or username, you get:
Further instructions have been sent to your e-mail address.
So, an anonymous user can easily check whether there is a user registered with a certain e-mail-address or not.
I think this can be a privacy issue. Think of the following scenario:
Alice wants to check if her fiancé Bob is registered at "adult-dating.example.com", a well known Internet dating site run by Drupal. She visits
adult-dating.example.com/user/password and enters his mail address
email@example.com. If she gets the message "Further instructions have been sent to your e-mail address.", she'll know that there is a user registered with Bobs mail address (= Bob himself) or with a username matching his mail address (unlikely that it would be someone else).
never print "Sorry, XYZ is not recognized as a user name or an e-mail address.",
always print "Further instructions have been sent to your e-mail address.".
Maybe we should change the wording of this message then (adding something like "if matched any account").
- (novice) Issue summary needs updating with issue summary template (how to: http://drupal.org/node/1427826)
- (novice) document/update steps to test/reproduce (how to: http://drupal.org/node/1468198)
- (novice) manual testing (how to: http://drupal.org/node/1489010)
- (novice) check coding standards and documentation (how to: http://drupal.org/node/1487976)
- Writing more tests? Needs a test only patch so the bot can show it fails. (how to: http://drupal.org/node/1468170)
- Needs an interdiff (how to: http://drupal.org/node/1488712)