Re: account enumeration

[Robin Wood <robin () digininja org>]

On 20 December 2012 16:55, Zate <zate75 () gmail com> wrote:
> That sounds like a viable solution in principle.  I'd couple that with
> making sure you use persona to authenticate, not email address.  So start
> registration with an email address, it checks to see if that email is
> associated with an account.  It either emails a link to continue or to
> recover.  Zero indication to the attacker is returned on the validity of the
> email address.
>
> Same with account recovery, enter an email address, we email you a recovery
> link with zero feedback on whether an account exists.
>
> Now when it comes time to add a persona, you are still going to have to
> check that persona to make sure it's unique.  I've seen some games (and most
> of my experience in this was working at a game company) start to use persona
> with a random 4 digits on the end.  So if  I want Bugsbunny, on the back end
> it does a check, grabs me a random 4 digits not associated with Bugsbunny
> and I end up with Bugsbunny.7834.  I get the persona I want, and there is
> not "is it used" check.
>
> Inside the app/game you can drop the 4 digits from display, just use them as
> a uniqueness identifier.
>
> This solves, I think, a number of issues.  Thoughts on that?

If you dropped the random four digits would you get problems with
impersonation  where one Bugsbunny could pretend to be another once in
the system?

Someone on Twitter pointed out that maybe the user names should not be
private and I've been thinking about that. If you have good
protections in place to prevent things like password brute force what
is the issue with attackers finding the names of system users. If the
system is implemented like you suggest and personas are used rather
than email addresses then if someone wants to stay anonymous they just
avoid re-use of a persona across multiple systems. I have a feeling
that this is wrong but can't put my finger on why.

> btw, it's still a good idea to use some anti-automation stuff in various
> places such as account reset, registration etc etc.  I'm also a big fan of
> OTP when machine/browser changes (ie logging in from a previously unknown
> IP)

That sounds like a good idea. Assume they attempt to log in and after
successful authentication they are securely sent a OTP which then lets
them finish authentication. If the OTP is used before successful
authentication then an attacker could flood a valid user with OTPs.

Robin

> Zate
>
>
>
> On Thu, Dec 20, 2012 at 10:05 AM, Robin Wood <robin () digininja org> wrote:
> > Hi
> > I'm writing a report and have identified the web app is vulnerable to
> > account enumeration because of the difference in messages on the
> > forgotten password page. This can be fixed by giving a generic message
> > regardless of whether the account exists in the system or not.
> >
> > That got me thinking about the registration system. The site requires
> > a unique user name which means the registration page is vulnerable to
> > the same issue (see Sythe from Chris John Riley
> > http://blog.c22.cc/2012/10/03/scythe-framework/ ) but here it is worse
> > as you can't give a generic message, you have to say "sorry, the user
> > name is taken" if it is.
> >
> > So I was wondering if there is a way to do a secure registration
> > system which does not leak information about existing accounts. The
> > only option I could think of was to use email address as the user name
> > and when someone wants to register they start the process by just
> > entering their address. If the account exists they are sent info to
> > tell them that someone has tried to register with that address and
> > offers the ability to recover the account or to report the attempt. If
> > they are not in the system it gives a unique registration link which
> > allows them to continue to register.
> >
> > Does this sound like a workable solution?
> >
> > Does anyone else have any other options?
> >
> > Robin
>
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com