6

While viewing bug bounties, I noticed that most of the bug bounties list the user enumeration in the excluding list. For instance brute forcing user accounts, forget password forms would generally fall into this category.

This got me thinking about why they in general omit user enumeration vulnerabilities? Do the websites not care about usernames leaked over their forms or an bot crawling to created automated accounts?

This question is not concerned about any particular webapp, I just want to know about the general reason behind it.

Arminius
  • 43,922
  • 13
  • 140
  • 136
BlueBerry - Vignesh4303
  • 5,107
  • 13
  • 34
  • 63

2 Answers2

11

Because they are already aware of the issue. This is evident of them making a mention on the exclusion list. Not mentioning it would likely lead to a lot of users pointing it out.

And since they are aware you might be wondering why they won't fix it. There really isn't a way to prevent it. If they restrict an email to one sign up they will have to inform the user why they cannot complete their registration if it has already been used. Or if a username is already selected, they would again have to inform them in an user friendly way why they cannot. So instead of taking out enumeration completely they will have to limit attempts, include CAPTCHA, or implement another plan to prevent abuse.

So when you have a known bug with no ability or intentions to fix it there really isn't any benefit to the company to pay out a bounty or receive reports on it.

Bacon Brad
  • 3,340
  • 19
  • 26
  • 2
    Letting the user know *in the email* that the address is already used for an account eliminates the email enumeration risk, but at the cost of usability. But that is a side note, I think the main point of your answer is absolutely right. – Anders May 31 '16 at 07:01
  • There _is_ a way to prevent it totally. See [this answer](http://security.stackexchange.com/a/47748/8340). I guess that most sites don't work like this because the user experience is affected while they check their email and could result in disgruntled users going elsewhere for their business. – SilverlightFox Jun 02 '16 at 14:26
3

In addition to @Bacon Brad's excellent answer above, I would like to include three more reasons as to why "user enumeration" is often listed under the "out of scope bugs" sections in security policies.

  1. Lots of bug bounty platforms have default policies which programs can use when launching. By default these policies often include a handful of frequently-reported low-severity issues including user enumeration.
  2. Programs usually don't want bug bounty hunters flooding their servers with requests so user enumeration falls under "brute forcing" — it's just a way of saying: "Please don't repeatedly probe for different usernames on our application."
  3. Bug bounty programs receive lots of reports, so it's really important to prioritise your triage team's efforts and minimise the number of low-priority reports to ensure the team can focus on critical issues. By excluding "user enumeration", the program can reduce a bit of noise and make the triaging process much easier. Of course programs still receive reports concerning issues that are listed in their policy as out of scope, but it still seems to work for the most part.
EdOverflow
  • 1,246
  • 8
  • 21