Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

The default Managed UI seems to have account enumeration.

This is not a UI issue, but you have to require verification for every user before they get a session to mitigate enumeration. Otherwise an attacker could just sign up using the victims address, and depending on whether they get a session or not they would know that the the account exists.

see <https://www.ory.sh/docs/kratos/self-service/flows/user-registration#successful-registration>

Even if I require verification, the attacker can find out what accounts exist by attempting various emails in the registration form.

What should happen is that the user fills out the registration form, and the app always responds with a success message (provided the form was filled out correctly). Then, the content of the email the user receives is conditional on whether an account already exists for that user or not.

That is not what happens (at least in my app). After you submit the form, you get the error msg in my screenshot above.

Loggged <https://github.com/ory/network/issues/229>