[SECURITY] Email enumeration #21
Assignees
Labels
Milestone
Comments
topsecret-chat-admin
added
tested
|
This issue has been resolved. See below an example of the email received by the user when someone attempts registering using their email. A special THANKS again to Kunal Mhaske for the contribution and collaboration.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Notice
The identification and proposed resolution of this issue has been kindly provided by Kunal Mhaske and this ticket has been logged on his behalf.
Vulnerability Name
Email enumeration at the SignUp page
Vulnerable URL
https://topsecret.chat/app/signup/signup.html
Description
At the signup page a msg box says
The email xxx@yyy.zzz is already in use.The problem is that any used email gets the same error message. while when you enter any other e-mail regardless of whether it is fake or not & valid or not it gets accepted. which means any Email (could be fake) is valid except registered emails in the database. So an attacker can compare both responses (success & failure) and enumerate users' emails on a large scale.
Impact
Brute force attack at large scale may disclose users' email.
Mitigation
A better security practice is simply saying that you sent a link to the e-mail no matter if they have an account already or not. If they have already registered and another process is done, the Email message must say that
someone tried to signup with that Email address, if that is you please log inThe text was updated successfully, but these errors were encountered: