PaulDotCom mailing list archives
account enumeration
From: Robin Wood <robin () digininja org>
Date: Thu, 20 Dec 2012 16:05:15 +0000
Hi I'm writing a report and have identified the web app is vulnerable to account enumeration because of the difference in messages on the forgotten password page. This can be fixed by giving a generic message regardless of whether the account exists in the system or not. That got me thinking about the registration system. The site requires a unique user name which means the registration page is vulnerable to the same issue (see Sythe from Chris John Riley http://blog.c22.cc/2012/10/03/scythe-framework/ ) but here it is worse as you can't give a generic message, you have to say "sorry, the user name is taken" if it is. So I was wondering if there is a way to do a secure registration system which does not leak information about existing accounts. The only option I could think of was to use email address as the user name and when someone wants to register they start the process by just entering their address. If the account exists they are sent info to tell them that someone has tried to register with that address and offers the ability to recover the account or to report the attempt. If they are not in the system it gives a unique registration link which allows them to continue to register. Does this sound like a workable solution? Does anyone else have any other options? Robin _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- account enumeration Robin Wood (Dec 20)
- Re: account enumeration Zate (Dec 20)
- Re: account enumeration Robin Wood (Dec 20)
- Re: account enumeration Zate (Dec 20)
- Re: account enumeration Sandro Gauci (Dec 21)
- Re: account enumeration Robin Wood (Dec 21)
- Re: account enumeration Hans Kokx (Dec 21)
- Re: account enumeration Robin Wood (Dec 20)
- Re: account enumeration Zate (Dec 20)