Reset password facility leaks email addresses


When using the Lost Password facility, openstreetmap warns the user if the entered email address doesn’t exist in the system.
This is a very well known security issue and can allow attackers to cut the time needed to crack their way in by orders of magnitude (see a mention of it under “DON’T” disclose valid usernames section).
The proper way is to show the success message for all inputs. If the user mistyped their email, they won’t receive an email and will retry.


Opened a ticket for this.

Thanks for noticing! :slight_smile:

… and already “wontfix”. :wink: