From the login screen (https://liberapay.com/sign-in?back_to=/) we can try to log in using only the email, leaving the password field empty, when this is done with an email that does not exist on the system, we received the following response: "We did not find any account whose primary email address is [email protected]"
But when we use an email that exists in the system, such as "[email protected]", we receive a different response, we are redirected to another page and as a result we have another HTTP code in response.
This can be implemented in a simple script with curl or even using the burp suite in order to be performed on a larger scale, thus making a user enumaration attack.
Possibility to enumerate in large scale several users existing in the application.