|
|
|
|
|
|
by lelanthran
177 days ago
|
|
|
First, I disagree that "user emails can be brute-forced" is a serious security issue. I mean, sure, it's a security issue, but on a scale of 1-10, with 1 being "security issue, we'll fix in next point release" and 10 being "All-hands until this emergency patch goes out, and we keep the system offline while fixing it", this is definitely a 1. Secondly, this barely counts as a security issue; some systems I worked on recently required error messages to tell the user how to fix the error they got. You don't simply say (for example) "attachment not found", you say "Field $FIELD is empty. This is a mandatory field" or similar. There are still plenty of secure systems out there that will direct the user to create an account if an unregistered user attempts to log in. It's a trade-off in usability: some places go the "Authentication failed (but we won't tell you why)" route, and others go the "Click here to sign up" route. |
|
|
Jesus no.
Aside from this now being an argument on semantics, someone enumerating every customer/user account you have is serious.
It opens the door for privacy leaks, targeted attacks (like password attempts, phishing, or account lockouts)
If you don't want to take that seriously, thank you for your honesty, I will ensure that I never have an account on any service you work on.