Full Report
Resource enumeration is the process of extracting the existence of a resource, especially usernames, from an application. By itself, it's not a big deal. But, it is often required to further exploit systems. As a result, many people do not care about the vulnerability. This article is going to touch on this bug class. Sometimes, the data is obvious. For instance, @dooflin5 on Twitter is my handle, and it can be seen easily. In other cases, it's more subtle. A different error message being returned on login if the email exists in the system or not can be enough to disclose this. Besides information disclosure, trying a lot of logins can also be used as a DoS vector. The author found this vulnerability on some websites. The company said it's a known design feature. So, what's wrong? It's a user experience thing. If the user can't remember their username, it becomes hella annoying to use your website. Generally speaking, the less information you give to the attacker, the more secure the system is going to be, but the harder it is for the end sure to work. In practice, things like password reset and logins should have good rate limiting and captchas anyway. This prevents the automation of this exploit but the core issue can be used to try to guess small amounts of usernames by hand. Good read on assessing the design tradeoffs with it.
Analysis Summary
# Vulnerability: Improper Disclosure of Existing User Accounts (User Enumeration)
## CVE Details
- **CVE ID**: Not Assigned (Design-level flaw)
- **CVSS Score**: Approximately 2.4 - 3.1 (Low)
- **CWE**: [CWE-204](https://cwe.mitre.org/data/definitions/204.html): Response Discrepancy Information Exposure
## Affected Systems
- **Products**: Zenodo (Open-source repository) and general web applications utilizing distinct authentication responses.
- **Versions**: All versions lacking unified error messaging.
- **Configurations**: Applications where the login, password reset, or registration modules return different messages or timing signatures based on whether a username/email exists in the database.
## Vulnerability Description
The vulnerability is a type of information leakage where an application’s response allows an attacker to distinguish between valid and invalid usernames. This typically occurs in:
1. **Login Pages**: Different messages for "Invalid password" (user exists) vs. "User not found" (user does not exist).
2. **Password Resets**: A message stating "An email has been sent" vs. "Email address not found."
3. **Registration**: Publicly stating "Username is already taken."
While often considered a "design feature" for User Experience (UX), it allows attackers to build a list of valid targets for further attacks.
## Exploitation
- **Status**: PoC available (Demonstrated on Zenodo website by author).
- **Complexity**: Low.
- **Attack Vector**: Network.
## Impact
- **Confidentiality**: Low (Disclosure of registered usernames/emails).
- **Integrity**: None.
- **Availability**: Low (Can be used as a vector for account lockout DoS or excessive resource consumption via automated guessing).
## Remediation
### Patches
- No specific patch; requires a code-level design change to unify application responses.
### Workarounds
- **Generic Messaging**: Implement identical responses for successful and failed lookups (e.g., "If an account exists for this email, you will receive a link").
- **Rate Limiting**: Implementation of strict rate limits on authentication endpoints to prevent bulk automated enumeration.
- **CAPTCHA**: Use of CAPTCHAs to prevent automated scripts from testing thousands of usernames.
## Detection
- **Indicators of Compromise**: High volumes of requests to `/login`, `/reset-password`, or `/register` endpoints from a single IP or a distributed botnet, characterized by rotating "username" parameters.
- **Detection Methods**: Monitoring web server logs for 4xx status codes or specific "User not found" response bodies occurring at high frequencies. WAFs (Web Application Firewalls) can be tuned to detect these patterns.
## References
- [https://cwe.mitre.org/data/definitions/204.html](https://cwe.mitre.org/data/definitions/204.html)
- [https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account)
- [https://zenodo.org/](https://zenodo.org/)
- [https://medium.com/@aleksamajkic/too-much-information-the-less-you-reveal-the-better-163dabb7f89f](https://medium.com/@aleksamajkic/too-much-information-the-less-you-reveal-the-better-163dabb7f89f)