1

We are developing a web application where users can register using their e-mail address. During the login process, we used to have an error message "email is not registered". Since we need to maintain the privacy of our users, we changed this message to "invalid user name or password".

Are there any other ways that an attacker can identify whether an email is registered with our site or not ?

Limit
  • 3,191
  • 1
  • 16
  • 35
Rithu Bimasha
  • 47
  • 1
  • 1
  • 6
  • You should maybe do the same with your password recovery form if you haven't already. – Steve Jan 18 '17 at 01:29
  • What about during registration - obviously they couldn't get any confirmation emails, or override the current account (at least, I hope not), but usually nothing stops people from putting a different email into the account registration page. Barring a captcha or similar, of course. [This somewhat has an existing answer](http://security.stackexchange.com/questions/40694/disclose-to-user-if-account-exists), but it may be impossible to enumerate all possible exploits for _your_ app... – Clockwork-Muse Jan 18 '17 at 01:59
  • 1
    Yes we did the same update to the forgot password and registration processes. – Rithu Bimasha Jan 18 '17 at 02:11

1 Answers1

1

This is a good change that you did to hardening privacy leakage in your app. From a point of an attacker, there is one other way to identify the email is registered in your site or not. But this is depending on how you have implemented your authentication process, performance of your web servers etc..

Normally we store the user password as a hash in the DB along with the salt value(Hope you did the same?). So, if the login process identifies an email is existing in your DB, then it is calculates the hash of given password and try to compare hashes. Calculating the hash of given password takes bit of time. So what attacker can do is, compare the response times from your login page and identify emails which takes longer time to respond.

As a remedy to this kind of an attack. You have to manually control your response time in your login page to a constant.

user3496510
  • 1,257
  • 2
  • 12
  • 26
  • Will the time difference be really that high? – Limit Jan 18 '17 at 03:30
  • 2
    Yes it is. But cant measure this using naked eye. You need to use a tool to measure response time. You can easily measure those extra milliseconds. If the app is using simple hash like MD5 the difference is less. But I do not think any person who is aware of security using MD5 anymore. – user3496510 Jan 18 '17 at 03:36