tag:help.rubygems.org,2010-01-19:/discussions/suggestions/7890-change-reset-password-logic-to-display-error-message-if-email-address-is-not-knownRubyGems.org: Discussion 2015-12-27T17:02:31Ztag:help.rubygems.org,2010-01-19:Comment/384433612015-11-12T06:12:38Z2015-11-12T06:12:39ZChange Reset Password logic to display error message if email address is not known.<div><p>This would lead to a clearer and less potentially confusing user
experience.</p></div>Keith Pittytag:help.rubygems.org,2010-01-19:Comment/384433612015-11-12T08:34:05Z2015-11-12T08:34:05ZChange Reset Password logic to display error message if email address is not known.<div><p>For security reasons we cannot make this change.</p>
<p>If we returned a different response depending on if an email
existed in rubygems.org or not an attacker could use this
information to determine which email addresses were tied to
accounts on rubygems.org. They could possibly leverage this to take
control of an account and upload malicious gems.</p></div>Eric Hodeltag:help.rubygems.org,2010-01-19:Comment/384433612015-11-12T10:10:14Z2015-11-12T10:10:14ZChange Reset Password logic to display error message if email address is not known.<div><p>Fair enough. In that case, perhaps the message could be changed
to say something along the lines of “if we have a record of
your email address you will receive an email in the next few
minutes”.</p></div>Keith Pitty