|
|
|
|
|
|
by awesome_dude
179 days ago
|
|
|
2. Verbose Error Messages: When Your Application Talks Too Much
Verbose error messages represent another common misconfiguration that gifts critical information to attackers. When applications encounter errors, they often generate detailed messages intended for developers. In production environments, these messages can reveal: Technical infrastructure details: Database types, versions, server configurations
File paths and directory structures: Enabling directory traversal attacks
Programming logic: Including code snippets that expose application behavior
Sensitive credentials: Database connection strings, usernames, passwords
Software versions: Allowing attackers to identify known vulnerabilities
The impact of this vulnerability is significant. Error messages can expose not just that a system runs PHP, but that it runs a specific, unsupported version — providing attackers with a clear exploitation path. Security researchers have documented numerous instances where verbose error messages enabled breaches: Dating App Vulnerability (2016): Tinder’s login system displayed error messages indicating whether specific email addresses were registered, enabling brute-force attacks to identify valid accounts.
Password Manager Leak (2019): A popular password manager’s login form disclosed through error messages whether email addresses were registered with the service, facilitating targeted attacks.
Government Agency Breach (2020): A major US government agency’s website displayed error messages revealing whether specific usernames existed in the system, enabling attackers to enumerate valid accounts. [1] https://medium.com/@instatunnel/security-misconfiguration-th... |
|
|
I mean, sure, it's a security issue, but on a scale of 1-10, with 1 being "security issue, we'll fix in next point release" and 10 being "All-hands until this emergency patch goes out, and we keep the system offline while fixing it", this is definitely a 1.
Secondly, this barely counts as a security issue; some systems I worked on recently required error messages to tell the user how to fix the error they got. You don't simply say (for example) "attachment not found", you say "Field $FIELD is empty. This is a mandatory field" or similar.
There are still plenty of secure systems out there that will direct the user to create an account if an unregistered user attempts to log in.
It's a trade-off in usability: some places go the "Authentication failed (but we won't tell you why)" route, and others go the "Click here to sign up" route.