The "Forgot your password?" password reset form in Joomla 3.x can disclose that an email address is registered with the site. This is a personal privacy violation which is illegal under some privacy laws.
The problem is that the core Joomla function reports two different messages and formats:
A third party can therefore determine that any email address is registered to and is associated with the site. Email addresses are commonly widely known, and in many cases are in the form [email protected]
Can this be corrected with an override, to return the #2 response above regardless of the not/registered status of the email address entered?
If not, what core file(s) need to be changed?
I am not mentioning Username here because I am using a plugin which allows authentication by email address and password instead of Username and password.
Please note! If you are unfamiliar with these specific responses, they are different. #1 is text that appears in a Joomla error box. #2 appears as text at the top of the form. This disclosure problem is not solved by a language file override making the text identical.