1

Google suggest to Enable email enumeration , but despite that being enabled, when a user (with intention to discover if the given email address exists on the app) tries to sign up ( register) with a email and if the email exists, the Google Identity-platform reveals that the emails does exists.

{
  "error": {
    "code": 400,
    "message": "EMAIL_EXISTS",
    "errors": [
      {
        "message": "EMAIL_EXISTS",
        "domain": "global",
        "reason": "invalid"
      }
    ]
  }
}

Below is the partial out of the fact that the Email protection is enabled

    {
      "name": "projects/601070666666/config",
      "signIn": {
        "email": {
          "enabled": true,
          "passwordRequired": true
        },"emailPrivacyConfig": {
    "enableImprovedEmailPrivacy": true
  }

I followed all the steps

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
puzzled
  • 509
  • 1
  • 5
  • 18
  • I was having the same issue for awhile and then realized it was my fault because I didn't apply it to the correct project. – Evan May 09 '23 at 14:22

1 Answers1

-1

Email enumeration protection only makes sense for apps where self-serve-signups are disabled (ie. Every user must be created by an admin).

If this wasn't the case, what should happen when a user tries to create an account with an already registered e-mail? Since the account cannot be created, en error must occur. If you try to obscure the error but it happens every time with that e-mail and not others, then what's happening would be obvious for an attacker.

andresgottlieb
  • 920
  • 10
  • 18