Hacker News new | comments | show | ask | jobs | submit login

Applying it over the Internet is quite feasible, especially with simple code. If it connects to a remote SMTP server, the delay may very well be noticeable enough without doing any complicated timing. It might be just about as easy as scraping the page for "user not found" versus "email sent".

I assume that was the original point - that on risque dating sites, the recover password system tries to hide membership.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact