User enumeration through login functionality #2
Description
Problem:
The server answers with different HTTP code (400) and explicit error text if a user exists but a password is incorrect and if a user does not exist.
Possible impact:
Such behavior allows user enumeration which makes brute-force attacks easier and since username is email, implies lead scrapping and social engineering attacks.
Solution:
Responses from authentication or recovery mechanism must give no information about user existence. Return the same exact message (including headers, HTTP status, etc.) if a user does or does not exist.