Hacker News new | ask | show | jobs
by JimDabell 3331 days ago
> I've never seen anyone else acknowledge "confirmation of email address existence" as a security issue

It's usually called "username enumeration" and there's plenty of pen testing firms that include this as a standard part of their process.
2 comments
inyorgroove 3331 days ago
How do you prevent username enumeration when you want to have a username taken feature in the sign up process? I suppose a way to handle that would be to throttle the number of times such an IP can make those requests per month or something. This still will not prevent a motivated attacker, or the casual use to check if one or two usernames are registered.
link
JimDabell 3331 days ago
In most cases, you can use an email address as the account name, and send a confirmation email containing a link they can use to sign up.

If the account already exists, you send an email saying something like "Hey, you tried to sign up but you already have an account. If you need to reset your password, follow this link." If the account doesn't already exist, you send the normal "follow this link to confirm your account" email.

From the attacker's point of view all they get told is "Check your email to continue" whether or not the account is already registered, so it doesn't leak this information.

This isn't always suitable – a mail provider like Gmail is an obvious example – but it would work for the vast majority of websites / web applications.

To be honest, I don't really rate username enumeration as a severe problem for most projects – obviously it's a problem if you can determine whether an email address is registered on, e.g. Ashley Madison or similar though. But it's simply not the case that "nobody else acknowledges it as a problem" – it's a very widely used test, even if the severity is usually considered low.

link
angry_octet 3331 days ago
Username enumeration is useful against a system with 10 or 1000 accounts, but absolutely meaningless on a system with 1,000,000,000 regular users.
link
blincoln 3331 days ago
It can be useful in either case. It depends on what the attacker is trying to achieve. If they just want to get in as any user, then your hypothetical system with a billion regular users is going to be even easier, because if even a fraction of those can be enumerated, it's likely that at least some will be accessible using a password-spraying attack using one or two common passwords, or by cross-referencing with passwords disclosed in a breach.
link
fixermark 3331 days ago
But if we're talking concretely about GMail here, the easiest way for someone to get in as "any user" is to create a GMail account.
link