alt Hacker NewsWhy on earth would the backend function even take an email?
Or perhaps said different: use the submitted info to identify the account; send any sensitive messages (recovery codes, password resets whatever) to only the contact info on file. If the chat bot can send such email it should do so via an API that sends only to contact info on file for the associated account and not to an email that's provided by the bot.
Replies
Some sites do this to prevent password recovery spam; you need to provide two pieces of information. Ideally not telling the client if they wrote the wrong email, that'd be a security issue of its own.
When such systems are hooked up to a web page they often will ask which contact should receive the reset code
(Pick one:
"send text to number ending in -1234"
"send text to number ending in -5678"
"send email to [email protected]" )
> Why on earth would the backend function even take an email?
In principle, it could be designed to do so to handle cases where a new email address has been confirmed out of band, e.g. for an account representing a company or a political office. But that's a relatively unusual situation, not something you'd want to be available to every user writing in. (Even if you had an all-human support department, this sort of functionality would only be available to a select few agents.)