17

I was just implementing a new feature on the registration form of my site that checks if an email address is still available to register an account with. I am wondering if it is secure to show a user that a certain email address is no longer available.

Is this feature a security risk related to the privacy of my members and how can I use it while defending against bots looking for email addresses?

xxdriesxx
  • 173
  • 5
  • There is no difference then telling that a username cannot be used. Do you really expect people to use the same email account multiple times when its not the email account's owner using it? If you do then I suggest a verification to stop abuse. I am partial in just allowing the email address to be used mutliple times unless there is a specfic reason not too ( i.e. its used as the username of the user's profile ) – Ramhound Mar 19 '12 at 13:48

3 Answers3

20

A way to implement the availability check without giving any feedback to potential attackers is to always send an email to the address used for the registration. What the content of the email could look like:

  • "An account for a@b.c [with username xy] was just registered at $site. Click here to confirm."
  • "Somebody tried to register an account for a@b.c [with username xy] at $site, however this account already exist. If you forgot your password click here. If did not initiate the registration please disregard this email."

This way, only the real owner of the email address will be able to check whether the address has already been used to sign up for the service. This approach is for example used by Ubuntu One.

twobeers
  • 1,079
  • 5
  • 10
  • Excellent answer. Only notify the owner of the email. If the registrant really owns that email address, they will see that they're trying to create a duplicate account. – Kelvin Nov 01 '12 at 19:34
14

It does leak information on what email addresses have already been used, but this is only really an issue if an attacker can rapidly check through possible email addresses.

The simple solution is:

  • only allow a small number of attempts or requests from a particular IP in a session

This way a valid customer can still try a couple if their initial choice is unavailable, but an attacker attempting to enumerate email addresses will have start new sessions.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
4

No, this is a user enumeration vulnerability.

As an attacker if I can use your login or forgotten password page to narrow my list from 10000 targets to 1000 targets, I will.

The best implementation to solve this I have seen is that both the sign up and the forgotten password forms are a multistep process (exactly the same back-end/process after the initial form).

The form starts with a single field asking for email address. The user enters foo@example.com and then clicks submit. Then they are displayed the same page asking them to check their email account.

If the user is already registered, they get an email containing a password reset link with a random token that expires in a few hours.

If the user is not registered, they get an email containing a registration link with a random token so they can continue the sign-up process. As a bonus, you've already validated their email address for when they later forget their password!

No-one that does not have access to the foo@example.com email account can determine whether the user is registered or not.

Check out the example on Troy Hunt's blog post on password resets and the username enumeration vulnerability on alotporn.com for a good example of how important it is to meet the user's expectations of privacy.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178