Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Bug? Reveal user email through Forgotten my password

edited September 2006 in Vanilla 1.0 Help
Yeah, just checked out again.

1. I'm a registered and logged in member.
2. I checkout someone's personal account page and see email - n/a
I can't see someone's email even if i'm registered and logged in - spam countermeasure, right?

1. I'm not logged in (registration doesn't matter).
2. I goto Sign In screen, Click Forgot Password and enter someone's username and then i see his email revealed in a message saying that instructions have been mailed to his inbox.
Even unlogged user can see someone's email address

My suggestion

Just remove the email address from that message. Or maybe add a captcha to forgot my password screen.


  • Here is some prior discussion on this topic, as well as two ways to prevent the email from being revealed.
  • MarkMark Vanilla Staff
    Wierd. I never thought of that. The reason I put the email in there in the first place is because I've used password retrievals before where I can't remember which email address I had used on the site. If it is an email that I no longer have access to, I want to be aware of it so I can contact the admins about it. Do you think just displaying the domain is a good enough resolution? Like, "A message has been sent to your email address with password reset instructions"
  • maybe just use some javascript document.write to output it? then spambots won't be able to read it..
    there's a lot scripts and plugins for blogs (i use Textpattern) that do this like this somefunction("my@email.addr") or somefunction(variable_with_mail_address) to zazzle the output through javascript..

    or display a domain name. but this won't help me, i have 4 accounts on, you see..
  • and a captcha may help, when a user is forced to solve captcha when entering username
  • my guess is if you can read it in plaintext, so can bots. The domain is good enough i guess.
  • JS would work to avoid spambots but the issue here is for users privacy, finnish. I thought the same as you the first time round till someone pointed out the reason users hid their email is cause they didnt want people knowing it. I'm guessing either the domain or the username would work. But i use the same username for a couple of my domains. Perhaps you could do some funky 1st/3rd/5th character thing? i.e. b*d*s**@h*t*a**.com thing? :D
  • eeek!! Someone tried to hack my account :P I got a Lussumo password-reset email and it sure wasn't me who activated that :D
  • here is a quick fix:
  • Jazzman, i did it :)
    just was browsing around some of your Vanilla Extensions and tried your username.
This discussion has been closed.