Jump to content

username enumeration


Recommended Posts

When trying to log in with an invalid username the following message is displayed:

"The Display Name or Email Address you entered does not belong to any account. Make sure that it is typed correctly."

This is a security issue as usernames/email addresses can be enumerated. It also means attackers can lock accounts out.

I recommend this message and the invalid password message are the same. 

ps. i'm surprised your external security audit hasn't picked this obvious one up? it usually comes up as a high/critical on security reports we've had. 

Link to comment
Share on other sites

Entering the correct password doesn't unlock?

There's 2 issues with username enumeration:

1. An attacker now knows valid usernames/emails and can then brute force an account or go phishing.

2. An attacker can perform an easy DOS and keep locking accounts out - i'm sure "admin" is a very well used username!

Link to comment
Share on other sites

Usernames can already be obtained by looking at the site - login usernames are the same as display names. However, email enumeration (or, more to the point, revealing that the owner of that email has an account on the site) is not ideal, so I agree that it would be a good idea to change the message to just "your username or password was incorrect". It isn't a high priority issue (in this case) though, just not best practice.

Accounts are only locked out per IP address, so unless you're in the same network as the person you're locking out, it won't affect them.

This should probably be in Product Feedback though.

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...