Bug E-Mail TFA leaks email address

There is a bug in this version
K

Kirby

Guest
This is most likely "Working as designed" but in the case the design is questionable ;)

TFA is meant to protect the account (and sensitive data within it), but unfortunately emai TFA display the following message when triggered:
An email has been sent to <b>{email}</b> with a single-use code. Please enter that code to continue.
Click to expand...

In case of an unauthorized access to the account (by an attacker that only has username and password) this leaks the users email address - effectively...

Read more

Continue reading...