How to prevent password reset from disclosing private email addresses?

by brett   Last Updated October 12, 2019 22:10 PM

The "Forgot your password?" password reset form in Joomla 3.x can disclose that an email address is registered with the site. This is a personal privacy violation which is illegal under some privacy laws.

The problem is that the core Joomla function reports two different messages and formats:

  1. "Reset password failed: Invalid email address" when a
    non-registered address is entered into the reset form, and
  2. "An email has been sent to your email address. The email has a verification code, please paste the verification code in the field below to prove that you are the owner of this account." when a registered address is entered.

A third party can therefore determine that any email address is registered to and is associated with the site. Email addresses are commonly widely known, and in many cases are in the form [email protected]

Can this be corrected with an override, to return the #2 response above regardless of the not/registered status of the email address entered?

If not, what core file(s) need to be changed?

I am not mentioning Username here because I am using a plugin which allows authentication by email address and password instead of Username and password.

Please note! If you are unfamiliar with these specific responses, they are different. #1 is text that appears in a Joomla error box. #2 appears as text at the top of the form. This disclosure problem is not solved by a language file override making the text identical.

Tags : joomla-3.x login


Related Questions


Updated April 14, 2016 08:04 AM

Updated May 21, 2015 21:04 PM

Updated November 08, 2016 08:04 AM

Updated July 30, 2015 14:04 PM

Updated October 23, 2018 15:10 PM