Email enumeration - Request to /fr/reset

[gpsilv4]

The data.gouv.fr application allows you to enumerate already registered and valid emails via the /fr/reset page. The application returns messages such as "Instructions to reset your password have been sent to [email protected].".
Whether or not the email exists on the platform.

I think it should return a message like: "Instructions to reset your password have been sent to your email".

This information can help an attacker to:
Validate a list of addresses to use in phishing attacks;
Validate a list of usernames to perform brute force attacks on the credentials.

[maudetes]

I'm not sure how an attacker will gain any information since the message is generic, but maybe I'm missing something?
The attacker doesn't know whether the address he submitted exists or not and no additionnal information is returned.

See https://flask-security-too.readthedocs.io/en/stable/patterns.html#generic-responses-avoiding-user-enumeration for more information on generic response proposed by Flask-Security-Too.