Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by basil - 29.01.2024
Last edited by cbay - 29.01.2024

FS#19 - User Enumeration Through Forgot Password Vulnerability

The application's "Forgot Password" feature allows user enumeration. This is because the application responds with a different message depending on whether the submitted email address is registered or not.
(https://admin.alwaysdata.com/password/lost/)

steps to Reproduce:

Access the "Forgot Password" page.
Enter a random, non-registered email address.
Submit the request.
Observe the response message:

  the message states "There is no account with this email address," which means that user enumeration is possible.
 An attacker could exploit this vulnerability to:

Gather a list of valid user email addresses.
Launch targeted phishing attacks.
Use the information to attempt password guessing or brute force attacks

Remediation:
Implement Generic Response: The application should provide the same response message regardless of whether the email address is registered or not. This prevents attackers from differentiating between valid and invalid accounts.

Additional Notes:

i am aware that this bug is not eligible for a bounty but wanted to bring it to the team's attention.

Best Wishes -Basil

Closed by  cbay
29.01.2024 17:15
Reason for closing:  Invalid
Admin
cbay commented on 29.01.2024 16:08

Hello,

There's no point trying to hide whether the email address is registered or not on the "password lost" page, as the sign up page could be used instead (and we can't hide this information on that page).

That's the same for Gmail, for instance. When signin up, if you enter an existing username, Gmail will tell you so.

Kind regards,
Cyril

basil commented on 29.01.2024 16:54

Hi Cyril,

I understand if you don't see it as a valid vulnerability, but since other companies do, I felt it was important to inform you. Feel free to close the task. I look forward to working with you again.

Sincerely,
Basil

Admin
cbay commented on 29.01.2024 16:58

How do these companies hide that the email address is already in use on the sign up page?

basil commented on 29.01.2024 17:13

While it's inevitable to reveal email registration status for in the case of a normal user accidentally entering a wrong email address, implementing rate limiting and captchas can deter automated attacks (which is primarily the main way an attacker would use user enumeration), make it very inconvenient and minimize the usefulness of any gained information for attackers.

Admin
cbay commented on 29.01.2024 17:14

We already have rate-limiting in place.

basil commented on 29.01.2024 17:18

My apologies, i have not tested for rate-limiting yet.

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing