8Nis
"Update my email", best way to prevent enumeration?
"Update my email" page has 2 fields: the new email and the current password.
I cannot find the correct way to protect against user enumeration if there's an error on the email field:
- if I silence the error users wont know if they did or typo (other than format validation).
- I can send identical feedbacks (
We have processed your request and sent you a confirmation email
) :- if I send it to the previous email address I'll have to display an error in case email is taken
- if I send it to the new email address it could lead to account takeover
What's the correct way to proceed ?