Nextcloud: The password recovery let users know whether an email address exists or not in the website

ID H1:681468
Type hackerone
Reporter guilhermecruzdev
Modified 2019-11-22T17:51:03



I have tried to recover the password for some emails: (exists) (does not exists)

After I clicked the "reset my password"'s button, the website informed that the email did not exist.


This is a bad practice, and it is an invitation to brute force emails that possibly exist in the domain

By using a wordlist of common passwords, it is possible to guess a combination of email/password of an administrator account.