vulnerability-lookup site: Possible to check if email address is used

Finding

I am not sure if this qualifies as a vulnerability, if email addresses of users are considered sensitive, especially as this is implemented with intention (validate function for LoginForm in forms.py: In the vulnerability-lookup site (so... this one) you can check if for a specific email address a user account exists. There also doesn't seem to be any significant automation protection to prevent automating this.

I haven't found a way to associate the email with a user but, you know, still an information leak.

Reproducibility

Go to /user/login. Attempt to log in with an email you want to check.

If a user with this email exists you will be told (e.g. mk.ii76hki2y6up@mkla.de ):

Please use your login name instead of your email address.
Impossible to login.

If no user with this email exists you will be told (e.g. doesnotexist@mkla.de):

Impossible to login.

Automation does not require any real effort, just grab a request with valid csrf token & iterate over target emails, grebing for the "Please use your login name" string.

Impact

Minor information leak about the user base as a whole.

Patches

None.

Workarounds

Automation protection to reduce automation potential?

References