Change Reset Password logic to display error message if email address is not known.

Keith Pitty's Avatar

Keith Pitty

12 Nov, 2015 06:12 AM

This would lead to a clearer and less potentially confusing user experience.

  1. Support Staff 1 Posted by Eric Hodel on 12 Nov, 2015 08:34 AM

    Eric Hodel's Avatar

    For security reasons we cannot make this change.

    If we returned a different response depending on if an email existed in rubygems.org or not an attacker could use this information to determine which email addresses were tied to accounts on rubygems.org. They could possibly leverage this to take control of an account and upload malicious gems.

  2. Eric Hodel closed this discussion on 12 Nov, 2015 08:34 AM.

  3. Keith Pitty re-opened this discussion on 12 Nov, 2015 10:10 AM

  4. 2 Posted by Keith Pitty on 12 Nov, 2015 10:10 AM

    Keith Pitty's Avatar

    Fair enough. In that case, perhaps the message could be changed to say something along the lines of “if we have a record of your email address you will receive an email in the next few minutes”.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac