0

I'm not a security guy, so bear with me. As discussed in other topics, usernames in and of themselves are valid forms of verification, and there's nothing particularly sensitive or secure about usernames. For example, in most registration flows, when selecting a username, the system will tell the user whether a username is taken - thus potentially giving malicious users a list of valid usernames. And that's okay, the same things happen in most password recovery flows.

A suggested flow for a user that is trying to recover their forgotten username would be to allow them to type in their phone or email, and the system would instantly return their username in the UI without verification.

The main problem that I could see is that this may allow a malicious user to not only obtain the username, but also to associate it with phone/email. Maybe that's okay too though, because that doesn't give any vital information. To access an account, they would still need access to that phone or email to reset the password. In that respect I don't believe the account would be compromised.

Help me out, what are the flaws in my thinking here?

Casey Robinson
  • 101
  • 1

2 Answers2

1

As a developer you must make sure that your customers Email-ID/Phone are not given away to any unauthorized people.

For any valid email input you just show the user irrespective if he/she is registered or not.

username send to the email.

This way attacker can never find out if user is registered or not. Email is sent only to registered user via backend.

If you feel that message is bit confusing for user. You can display

If your account is found in the system, we will mail you the username.

Rohith K D
  • 1,029
  • 1
  • 7
  • 12
  • This is the current set up we have right now, but our users have expressed a lot of frustration around this. The attacker can find out if a certain username is registered in almost any registration flow. This is done when the user is 'creating' a username, and the registration service has to check for uniqueness. If the name is not unique we are forced to tell users that that username has already been registered with another user. – Casey Robinson Mar 19 '19 at 17:28
  • username cannot be considered as Personal Identifier Information. But E-Mails and phone number are. With stringent regulations on PII, you must make sure that PII are not leaked. – Rohith K D Mar 19 '19 at 17:32
  • Google, Facebook, Instagram all have the mechanism that check whether the username is taken or not. They have in place system (blocking IP after several continuous sign up attempt) to make sure that no hackers abuse this system to enumerate username list. – Rohith K D Mar 19 '19 at 17:38
0

Modern computer systems are vulnerable to many sorts of attacks. The mentioned idea of stealing the username for the purpose to reset an account and then overtake the system is one of them. The problem is, that most computer systems are complex and attackers are smart. They have enough time to think about attack plans.

A well known counter strategy is to raise the abstraction level. Defending a network against hackers has to be treated on an academic level. In the common literature so called attack graphs are modeled in the PDDL language to describe behaviors. The workflow until an attacker has stolen the usernames and uses additional information to overtake an account can be visualized in a syntax similar to an UML statechart. That means, it contains of different steps which are using weakness in the target system.

To discuss which steps are needed to protect a network against these steps, it make sense to use a formal system description. In some papers this was done in the past, they are available at Google Scholar under the search string “pddl attack graph”

Manuel Rodriguez
  • 211
  • 1
  • 2
  • 5