Description

Through the Reset password page, an attacker can know that if an email exists or not; just by observing the notification in the response page. So, once the attacker knows that an email exists, he can launch a brute force attack against it.

If an email exists:

The notification will be A password reset link was sent to <email_address> with green color.

If an email does not exist:

The notification will be No user with that email address was found. with red color.

Proof of Concept

1.Go to the Reset password page (https://book.dansmonorage.blue/password-reset)
2.Enter an existed email and click Submit.
3.Observe the success notification.
4.Enter a non-existed email (Ex: test@local.com) and click Submit.
3.Observe the error notification.

Impact

Account enumeration is a potential security risk whereby a web site gives out information about what accounts are already in the system. This may:
a) leave them susceptible to a brute-force attack
b) may violate their users privacy which may be very important for certain types of sites.