|
Task Description
Dear Security Team,
I hope you are doing well.
I would like to responsibly disclose a security issue identified in the password reset functionality of your application. During testing, I observed that the application returns different responses for registered and non-registered email addresses, which allows an attacker to determine whether a specific email address is associated with a valid user account.
Severity:Medium
Category: Information Disclosure / User Enumeration
Description
The password reset endpoint responds differently based on whether the submitted email address exists in the system.
When a registered email address is entered, the application returns a successful password reset response. However, when an unregistered email address is submitted, the application returns a different error message indicating that the email address does not exist.
This behavior enables an attacker to enumerate valid user accounts by submitting multiple email addresses and comparing the application’s responses.
Steps to Reproduce
Navigate to the **Forgot Password page. Enter a valid, registered email address. Observe the success response indicating that a password reset email has been sent. Repeat the process using an email address that is not registered. Observe that the application returns a different response indicating that the email address does not exist. Compare both responses and note that they reveal whether an email address is registered. Proof of Concept
Registered Email
Email: registered@example.com
Response: "If an account exists, a password reset link has been sent." Unregistered Email
Email: randomuser@example.com
Response: "Email address not found." The difference in these responses allows an attacker to identify valid user accounts.
Security Impact
An attacker can exploit this behavior to:
Enumerate valid user accounts. Identify registered email addresses. Facilitate targeted phishing campaigns. Support credential stuffing or password spraying attacks. Gather intelligence for further attacks against identified users.
Although this issue does not directly expose user credentials, it increases the effectiveness of subsequent attacks by revealing valid account information.
Recommendation
To mitigate this issue:
Return the same generic response regardless of whether the email address exists. Use a consistent HTTP status code for both scenarios. Ensure response bodies, headers, and response timing are as similar as possible. A recommended response is:
“If an account exists for the provided email address, a password reset email will be sent.”
This approach prevents attackers from distinguishing between registered and unregistered email addresses.
Conclusion The password reset functionality currently discloses account existence through differing responses. Standardizing the application’s responses for both valid and invalid email addresses will effectively prevent user enumeration and improve the overall security posture of the application.
I am submitting this report under responsible disclosure and would be happy to provide any additional information or assist with validation if required.
Kind regards,
Cyber_Subhash Security Researcher
|