A recent vulnerability assessment discovered that when using the manual accounts login for users, it is possible to determine whether a username or email address exists. Information could then be leveraged through phishing attempts at these users, or by conducting a brute-force attack on the passwords in order to gain access to the system.
- "This username already exists, choose another"
- "The email address is already registered. Perhaps you created an account in the past?"
This was also previously asked in this post here, but never received any reply.
Does anyone have any recommendations on how to resolve this, or is this something that is already mitigated in later versions of moodle?
Thanks.