The current CAPTCHA implementation may not be secure

Type atlassian
Reporter padawan
Modified 2017-02-17T06:16:59


The current CAPTCHA implementation displays a different message if the CAPTCHA is being displayed and the captcha is entered correctly but the password for the user is not, than if the CAPTCHA is entered incorrectly. This is giving away more information than a login screen should. The error message that is displayed whilst a captcha is being displayed should remain constant.

eg. "Sorry, your username, password or captcha is incorrect - please try again."