Username leakage from account creation
Closed this issue · 0 comments
edwardsph commented
You can use account registration /register, to test whether or not usernames exist. If you tried to create an account with a username that exists, you get:
An alternative here would be to simply say "Account creation failed” and give no specific reason but that is not great for the user. Another option would be but to prevent a screen like this from being used to scrape usernames by putting in standard protections such as recaptcha.
This may take longer to resolve but could do with an immediate release since it is security related.