Reset Password - email message states successfully send to email that doesn't exist

Hi is there a possibility to show an error message when a user enters an email that doesnt exist when trying to reset their password. Right now Auth0 shows a message that the email was sent successfully which is misleading to the user.

I don’t think this can be changed, but someone with more experience may correct me!

No error is shown because throwing an error saying the email doesn’t exist leaks information … I can use that to find out your user’s email addresses.

2 Likes

Hey @jdkatz!

Can you let me know which stack do you use? Did you go for Lock or are you trying to achieve that using our Authentication API? Thanks for clarification!

As @markd mentions, this is a well-known security risk and mentioned by OWASP:

https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002)

In addition we mention it in a recent blog:

It’s also good practice to purposefully use vague login failure messages when your users enter an incorrect username or password. Otherwise, attackers may be able to identify valid accounts that they could use in order to instigate an attack.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.