19

In many web applications, email is required to be a unique field, and users aren't allowed to register an account if their email already exists in the database.

When performing validation on the registration form, you would presumably check if an email has been taken, and let the user know if it has since they can either pick a different one or try to reset their password.

However, if you are providing this feedback, it seems like malicious users could test to see if users exist in the database. Someone could plausibly test your site against leaked data from big-name hacks, and if the users are reusing their passwords across sites, then your site is potentially vulnerable.

The solution to this could be simply giving more generic feedback about what went wrong without specifically mentioning email, although that could be frustrating for the average user trying to sign up. And if your sign up form simply requires an email and password, it is still pretty obvious that if any error is encountered it is likely that the email already exists in the database.

What is the best way from a security perspective to handle informing a user that an email has already been taken upon registration?

Matt Dalzell
  • 293
  • 2
  • 6

2 Answers2

21

An intuitive and simple solution is to make sure that an automated script (malicious script) cannot try to register with a list of e-mails in order to figure out which ones are registered. For example, use CAPTCHA challenge as part of registeration to make sure it is a human trying to register an account. In this way, even if few user e-mails are tried, a massive number cannot be checked. Note we are assuming strong CAPTCHA cannot be easily broken.

But if it is super sensitive and you must hide who is registered at the target website even from human users, then finish the registration and do not show any error message to the user that the e-mail is already registered; and just inform the user at the end of the process that now they have to confirm the e-mail belongs to them, please go and check your e-mail; In the backend, if the e-mail is already registered, then do nothing; just send an e-mail to the owner of the e-mail and inform them: seems you tried to re-register at our service again, if you have forgotten you have an account with us, this is your username, and if you cannot remember your password, go to the password reset page. To be at the safe side, you can mention that if you did not try to register with us again, please ignore this e-mail.

If the e-mail is not registered in the database, in the backend, create a random one-time use token in a URL and send to the new e-mail registered and ask them to confirm the new account if they meant to create a new account.

This way is you absolutely hide everything from the bad guys;

Goli E
  • 895
  • 1
  • 11
  • 20
10

If this is a concern (i.e. if the fact of a person's membership would be considered sensitive information), one solution is to process the registration normally from the user's perspective on the registration page, but send a different e-mail out that explains that an account already exists/gives details on resetting the existing account (or replacing it if applicable) rather than a confirmation e-mail to verify the address.

AJAr
  • 1,682
  • 1
  • 9
  • 19