11Ağu
Account enumeration on verification-less signup
Is there a way to prevent account enumeration on signup page if access to the site is not requiring you to verify your email?
The scenario is as following: Sign up for a site with email+password, but allow to use the site immediately. Some features require email validation, some don't, so the user can verify their email at a later stage. When registering, if we deny another registration with email that exists in the system, we got account enumeration. If we let in, well, we just let anyone use any account without knowing a password.
