Information leak about subscribed users

[robert-kisteleki]

If one tries to subscribe a second time, the behaviour is to show an error message "Your e-mail address has already been subscribed to.". This can be used by anyone to evaluate if a particular email is subscribed.

I think a better solution would be to show the default "thank you" page (with or without confirmation as per settings) and perhaps not even sending an actual mail.

The concept may be applicable with other functions, I haven't yet explored them all ;-)

[dokterbob]

This information leak has been noticed before and, at the time, I felt the loss in convenience to outweigh the security hazards. In hindsight, I guess it is worth to reconsider.

As the user needs to be aware that a confirmation message will be sent (i.e. they are not immediately subscribed), I would like to propose having a single ‘Thank you’ message containing this information.

Then it would provide a user interface consistent with the previously generated expectations to sent an email regardless. For already subscribed users this might be a notice that they were already subscribed though we could also simply send another activation message. Then, when the user clicks the link, the user experience is similar to a new subscription - though in the database nothing changes.

If you were to group this ticket with #108, which would make a lot of sense workload-wise, and you’d be poking in the ‘core’ of the package anyways, I would prefer to implement the ‘already subscribed’ email when subscribing again - without a subscription link in it.

[ekerstein]

Just want to note that it not only leaks subscriber info, but site user info.

"The e-mail address '[email protected]' belongs to a user with an account on this site. Please log in as that user and try again."