User enumeration through forgot password functionality #1
Description
Problem:
An attempt to recover password for non-existent account returns a different answer
Possible impact:
Such behavior allows user enumeration which makes brute-force attacks easier and since username is email, implies lead scrapping and social engineering attacks.
Solution:
Responses from authentication or recovery mechanism must give no information about user existence. Return the same exact message (including headers, HTTP status, etc.) if a user does or does not exist.