Hacker News new | comments | show | ask | jobs | submit login

This is a real attack vector. It's called a timing attack: http://en.wikipedia.org/wiki/Timing_attack

I am familiar with timing attacks. The thought of someone attempting to apply it over the internet to verify whether an email is registered on a dating site seems laughable.


Applying it over the Internet is quite feasible, especially with simple code. If it connects to a remote SMTP server, the delay may very well be noticeable enough without doing any complicated timing. It might be just about as easy as scraping the page for "user not found" versus "email sent".

I assume that was the original point - that on risque dating sites, the recover password system tries to hide membership.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact