2

I am responsible for a website that allows a user to reset the password, as usual. However, the response of the website is different whether the entered username matches or not.

This would allow an attacker to derive a dictionary of usernames in use.

Is this considered a risk? How much?

Notes:

  • The website logs each request, so after a while, repeated requests will pile up, but there are no other measures currently.
  • I will soon fix that problem by returning the same response content, but would like to use this behaviour as an exercise to me and learn about security. I could imagine, that, by response-time-measurements, the fix will still allow to at least guess usernames.
  • Before fixing, I would like to see how bad or not this specific problem is. After the fix, I would like to rerun any previously successful test to assert, that the problem really is gone.

Using the ZAP Proxy and sqlmap (with aggressive levels), I was not able to find an automated exploit/test to this problem.

nulldev
  • 154
  • 9
  • Welcome. Your second question: *Are there other common tools to test?* is ˇ[**off-topic**](http://security.stackexchange.com/help) here. –  Oct 22 '15 at 12:39
  • Thanks, @Begueradj for mentioning about the tools part. I will remove that from the question. – nulldev Oct 22 '15 at 12:40
  • Just guessing that this related problem exists: What happens when a user wants to register with a user name that is already taken? – Noir Oct 22 '15 at 14:03
  • @Noir In this particular website, users can not register themselves. They either get an account automatically if they match some criteria offline or must explicitly ask an admin to register them. – nulldev Oct 22 '15 at 14:08
  • 1
    Possible duplicate of [Best practice for forgot password form, ok to leak that a given e-mail is invalid](http://security.stackexchange.com/questions/49191/best-practice-for-forgot-password-form-ok-to-leak-that-a-given-e-mail-is-invali) – SilverlightFox Oct 27 '15 at 09:31

4 Answers4

2

While it is true that displaying a different message whether or not the username exist might increase the surface attack, you have to realize that generally :

A username is not a secret

  • Username are often public (available to anyone that visit the website ex.: forums)
  • Username are often email address (public again)
  • Username are often reused between multiple sites (public again)

There is very few applications were the username is totally secret. Is it your case? Is there no way for anyone else than the user to know his username? But let's look at the risks...

Security Risk

When we are talking about a username/password combo, there is almost no security risk in revealing the username. Some people might argue that you could make yourself vulnerable to brute force attack but it won't work. Why? It's simply because brute force attacks do not work over a network as in most case you will create a denial of service attack before you are able to crack a single password.

Privacy Risk

The one place where it might be critical to keep a username secret might be when the user do not wish to be associated with the service. BUT... If the user really want to stay secret, why doesn't he chooses a username that cannot be linked to him? If I want to keep my identity secret while I'm using a service, common sense tells me that I should not use my real name, real email or real address at least.

Intersting reads about keeping username secrets

Community
  • 1
Gudradain
  • 6,921
  • 2
  • 26
  • 43
  • 1
    Thanks, this is very helpful. I always thought usernames are to be kept secret, but now I am not so sure anymore... In fact, the longer I think, I seems like security by obscurity. – nulldev Oct 22 '15 at 14:14
1

You give away information. The result is that a bot can first try to find usernames, and then for those specific usernames try to find passwords. That makes it a lot easier to find good combinations.

How much this is a risk depends on what other measures you've taken. Do you limit login attempts? Do you log IP addresses and monitor suspicious attempts? Do you take action when you see this kind of activity? Do you notify users and administrator? Do you require strong passwords?

Why do you need to test for this, if you know how it works?

SPRBRN
  • 7,379
  • 6
  • 33
  • 37
  • If the username is the email address (or the email address can be linked to the username somehow) the user is also exposed to phishing attacks. – Jay Oct 22 '15 at 12:45
  • @Jay I updated the question as per your questions. – nulldev Oct 22 '15 at 12:51
  • @Jay: Thanks for this clarification about username linkage. In my particular use case, the usernames are not email addresses. They are mostly semi-random, with only part of the user's real name, pre- and postfixed with random characters, however, some of them are real names. – nulldev Oct 22 '15 at 13:42
1

Is this considered a risk? How much?

Yes, there is a certain risk because you are enhancing the surface attack leading to two scenarios:

  1. Bruteforcing attack over an already known username of your website
  2. Password guessing attack: suppose a user logs to your website with the username: FirstnameLastname. An attacker could google that full name and lands on that user's personal website where he publishes pictures of his wife, children, his favorite food (which thing is quite frequent): the attacker could guess that user's password which are efficient especially that most users use alphanumeric passwords most of the time:

enter image description here

Solution:

Instead of displaying an error message as you did (username already used), use just a generic message error such as: username or password incorrect

  • Thanks for this info. Lukily, in this case, passwords are generated randomly for the user, even for the first login, so they are not easily guessable. – nulldev Oct 22 '15 at 13:39
1

It is good practice to just supply a simple Username or Password is invalid message. If the user is performing a reset, ask for their email address and send an email to that account stating it is not a valid email address or send the reset link if it is. The less information you can expose directly on the site the better. It is also a good idea to have the login name and name displayed and used on the site different.

Risks of acknowledging a username is correct or publicly displaying them:

It makes it easy for someone to use a a bot or automated tool to scan your site for user names or test a list of known usernames to build a list of accounts which can then be brute-forced or if the user has a list of stolen usernames and passwords to attempt known passwords that may work if someone uses the same password on multiple sites. With no way to confirm that the account is real, they will not waste their time trying to compromise an account that is questionable if it actually exists. If you confirm an account exists you have given a verified target.

David-
  • 434
  • 2
  • 8