[netsec_burn]

This isn't an issue, you can do the same thing with the main login form and a number of undocumented APIs. I've never seen anyone else acknowledge "confirmation of email address existence" as a security issue and I don't see why Google should be the first.

[JimDabell]

> I've never seen anyone else acknowledge "confirmation of email address existence" as a security issue

It's usually called "username enumeration" and there's plenty of pen testing firms that include this as a standard part of their process.

[inyorgroove]

How do you prevent username enumeration when you want to have a username taken feature in the sign up process? I suppose a way to handle that would be to throttle the number of times such an IP can make those requests per month or something. This still will not prevent a motivated attacker, or the casual use to check if one or two usernames are registered.

[JimDabell]

In most cases, you can use an email address as the account name, and send a confirmation email containing a link they can use to sign up.

If the account already exists, you send an email saying something like "Hey, you tried to sign up but you already have an account. If you need to reset your password, follow this link." If the account doesn't already exist, you send the normal "follow this link to confirm your account" email.

From the attacker's point of view all they get told is "Check your email to continue" whether or not the account is already registered, so it doesn't leak this information.

This isn't always suitable – a mail provider like Gmail is an obvious example – but it would work for the vast majority of websites / web applications.

To be honest, I don't really rate username enumeration as a severe problem for most projects – obviously it's a problem if you can determine whether an email address is registered on, e.g. Ashley Madison or similar though. But it's simply not the case that "nobody else acknowledges it as a problem" – it's a very widely used test, even if the severity is usually considered low.

[angry_octet]

Username enumeration is useful against a system with 10 or 1000 accounts, but absolutely meaningless on a system with 1,000,000,000 regular users.

[blincoln]

It can be useful in either case. It depends on what the attacker is trying to achieve. If they just want to get in as any user, then your hypothetical system with a billion regular users is going to be even easier, because if even a fraction of those can be enumerated, it's likely that at least some will be accessible using a password-spraying attack using one or two common passwords, or by cross-referencing with passwords disclosed in a breach.

[fixermark]

But if we're talking concretely about GMail here, the easiest way for someone to get in as "any user" is to create a GMail account.

[nailer]

> I've never seen anyone else acknowledge "confirmation of email address existence" as a security issue

Every guide to setting up an email server starts with "turn SMTP verify off if your server has insecure defaults"

[breakingcups]

There's a difference between being able to do that 10 times or 40.000 times in an hour.