account enumeration

[Robin Wood <robin () digininja org>]

Hi
I'm writing a report and have identified the web app is vulnerable to
account enumeration because of the difference in messages on the
forgotten password page. This can be fixed by giving a generic message
regardless of whether the account exists in the system or not.

That got me thinking about the registration system. The site requires
a unique user name which means the registration page is vulnerable to
the same issue (see Sythe from Chris John Riley
http://blog.c22.cc/2012/10/03/scythe-framework/ ) but here it is worse
as you can't give a generic message, you have to say "sorry, the user
name is taken" if it is.

So I was wondering if there is a way to do a secure registration
system which does not leak information about existing accounts. The
only option I could think of was to use email address as the user name
and when someone wants to register they start the process by just
entering their address. If the account exists they are sent info to
tell them that someone has tried to register with that address and
offers the ability to recover the account or to report the attempt. If
they are not in the system it gives a unique registration link which
allows them to continue to register.

Does this sound like a workable solution?

Does anyone else have any other options?

Robin
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com