|
|
|
|
|
|
by selykg
1300 days ago
|
|
|
Depending on your particular service, there's a better alternative for not leaking the existing account. A service I worked on previously was super sensitive and we didn't want to leak the existence of an existing account. What we did instead was asked for the email on the first page of signup, we verified the email was active by sending an email and a link to continue signup. If they already have an account we'd inform them in that email that they already have an account. This way, the attacker actually has to have access to the email in question to know that an existing account is present on the service. If you do the whole signup process on a single page and validate the email there then yea, you're gonna have a rough time. |
|
|