Registration automatic input validation security/privacy concern

Question

So I have created a registration page that automatically checks whether the username, email address and phone you have entered already exists or not. If any one of them is already registered to an account then you get a notification in the same page as soon as you click out of the input field, saying that it's already registered and that you should enter a different value.

Now my concern is that someone might write down a script that will bruteforce values into these fields and record whether the entered data is already registered or not. That way they can get list of all registered usernames, phones, and emails.

Is this something to care about and something that you should prevent? I can implement something that allows only like 10-20 input validation checks per IP. Is it worth going through the effort of? Is leaking out the list of all registered usernames considered vulnerability and/or bad practice?

If you think that I should prevent this, what do you think would be the best way of going about it?

Answer 1

You can prevent the brute-force of registration page by using the following,

---

1. Using the captcha such as recaptcha, preferred one
2. Using the generic message, such as "You will receive the email on {email_id}, if it is not already registered to the application". However, as you mentioned you want to verify the username, email id and phone number. In this situation you can ask about validating email id or phone number by OTP, once the user validates email id or phone number(or both as per your application context) you can provide option to select the username. However, the malicious user can still do the brute-force of username here but you can set limit in this scenario using the verified phone number/email id.