2

I am currently working on a web portal which allows users to login via standard authentication credentials (username, password).

However, I'm required to return appropriate error messages when the login fails:

  1. When the email entered is incorrect, return error message saying: Invalid email.
  2. When the email entered is correct, but the password doesn't match the error message should be Invalid password, please try again.

Now, my question is whether the first error message poses any security risk. This because, when I return an error code in my API response, an attacker can use the response code to enumerate the list of valid email IDs that are registered with my database?

If not, can you direct me to appropriate resources that elaborate on valid error messages to be shown or any protocol to be followed for such login scenarios.

Rocky Inde
  • 121
  • 1
  • 3
  • Few other similar questions https://security.stackexchange.com/questions/17816/username-and-or-password-invalid-why-do-websites-show-this-kind-of-message-i & https://security.stackexchange.com/questions/13079/is-there-any-reason-to-show-the-same-message-for-invalid-username-as-password – PwdRsch Mar 07 '19 at 18:11

2 Answers2

2

Yes, email enumeration could be seen as a security risk.

An attacker now knows the email of a valid account and may leverage this to try logging in with passwords from previous breaches.

It could also be used to potentially Phish users of your service.

This isn't a terrible risk though and it can be mitigated by limiting login attempts from a single (or similar IP range). You could also track overall rate of failed logins to detect more advanced enumeration attempts.

There's a number of potential pitfalls related to authentication. OWASP has a great cheatsheet on Authentication, I always recommend it as a first step to checking all your bases are covered.

Daisetsu
  • 5,110
  • 1
  • 14
  • 24
2

Although from a technical point of view the risk could be considered limited (as suggested by @Daisetsu) if the authentication mechanism is properly implemented, the system is still leaking data.

Going a bit deeper into whether this is a terrible risk or not. It depends on several things such as:

  1. Is rate limiting in place?
  2. After X amount of failed attempts, are requests blocked (or is a captcha shown)?
  3. What is the password policy?
  4. Is multi factor authentication in place?

You basically have 50% of the credentials and a password guessing attack can be quite simple.

Now I am no General Data Protection Regulation (GDPR) expert but an email address in specific case can be considered personal data:

It depends whether or not a natural person is identified or identifiable based on the email address. The way persons have structured their email addresses has to be taken into account in order to determine whether the email address can be seen as personal data or not.

Source: https://lawandmore.nl/en/blog-nl-en/email-addresses-and-the-scope-of-the-gdpr/

In other words, it also depends in what country you reside and what laws are applicable when it comes to personal data.

Can you direct me to appropriate resources that elaborate on valid error messages to be shown or any protocol to be followed for such login scenarios.

In both cases (invalid email address and invalid password), the message should just display something like: "Username and/or password are incorrect."

Jeroen
  • 5,783
  • 2
  • 18
  • 26