12

Being on the company security email list, I get emails with some regularity complaining about email discovery on various forms on my employers website. The reporters are complaining about things like our login form returning a specific message like "You password is incorrect." rather than "The email/password provided are incorrect." This lets possible attackers know that a certain email address is in use for an account.

I understand the issue here, and it's easy to change the messaging for a login or account recovery form. However, what can I do about a signup form. We only want one account for any given email address. I've looked at some other popular online services and their signup forms specifically tell you that the email address is in use.

Is there just no way around this? If that's the case, should I really pay any heed to the people complaining about email discovery on the login form?

Ali Ahmad
  • 4,814
  • 8
  • 35
  • 61
Endophage
  • 232
  • 2
  • 8

2 Answers2

16

This can be solved by implementing an out of band message.

To solve this issue I would have a form which can be used for two purposes:

  1. Account recovery.
  2. New user sign up.

The single field on this form is Email address. Of course you can use different text depending on whether the user wanted to recover their account or sign up, but the way it works will be the same.

Once the user has entered their email address and clicked Next, the same response will be shown for any address entered. Something similar to Thank you, please check your email account for the provided address.

The "out of band" message sent their email address will either say Please follow the link to recover your account or Please follow the link to sign up to our service and will contain the appropriate links which will include a time-limited token to allow the user to recover their account or sign up as necessary. The only thing that determines the text of this message is whether an account exists for their email address within the system, it does not matter if the user followed the account recovery or new user sign up links. As they should be the only user that can read their email, this should prevent username enumeration. The token will be associated to the provided email which will stop the user then attempting to sign up using a different address, or to reset the password of any other account. This also has the effect of validating the email account for new sign ups.

SilverlightFox
  • 33,698
  • 6
  • 69
  • 185
  • 1
    I like this. I've been staring at the problem too long, I never thought of tying it into post signup email validation. – Endophage Dec 29 '13 at 04:05
  • Need any further help with this? If so I'll update my answer. – SilverlightFox Jan 06 '14 at 10:55
  • I'm good. Was just waiting to accept to encourage anyone else with an idea to post it. – Endophage Jan 06 '14 at 16:40
  • @Endophage This is ok, but a CAPTCHA isn't? Talk about a barrier to entry... This, to me, solves the problem perfectly, but severely hampers usability. I think this problem is overstated. I am of the belief that usernames/emails are not secret, it's the password that is secret. If you limit password attempts so that someone cannot brute force the account from the web, then why does it matter if they can check if a specific person they already know has an account on the site? They already know the email. If privacy is a major concern, the user should not use a publicly known email address. – Gray Aug 19 '14 at 13:21
  • 2
    @Gray: It very much depends on the system. Many systems such as web mail and social networking have user enumeration built into the design - it is not an issue if you find out a certain user has an account or not. With other systems you may have a massive list of email accounts and as the attacker you may wish to whittle down the list to only include the valid accounts ready for your brute force attack. For me, I don't think emailing the user hampers the UI at all - as said, this will also validate the email making sure they have a valid one for password reset in future. – SilverlightFox Aug 19 '14 at 13:33
  • 2
    @Gray: Also, if user enumeration is possible then the brute force attack could be soft enough as to not lock out particular users by only trying a handful of common passwords against each account. As more than one account is targeted the attacker has the advantage of low risk and the high chance of a hit. Furthermore, they could time their attack right so that by the time the first password has been tried on the last account any record of the failed login on the first account has expired. Another target for user enumeration is phishing. If they know an account exists they can target the email. – SilverlightFox Aug 19 '14 at 14:39
  • @SilverlightFox I think the risk is pretty low of getting a valid user using the method you describe. If you try to discover/enumerate 1000 accounts, you should set off alarms in the system. If this process is distributed, ok, fine. Now you have 1000 accounts on some botnet and you are limited to 1 password attempt per IP/account every X seconds, then extend to minutes, add a captcha if they keep trying. If you have a decent password policy, this wont work. The enumeration hits the DB same as a login attempt. I think this causes more UX issues than a captcha, still is a perfectly valid answer. – Gray Aug 19 '14 at 15:38
  • 1
    @Gray If you have a botnet, you can rapidly get more than 1000 email addresses. Even if you ban by IP, botnets control 100,000s if machines. I think you're also considering email addresses as being highly unique and they're not. Take a dictionary of first and last names, iterate over the permutations of those concatenated, I guarantee you get a good number of hits in just about every online service. That said, I tend to agree with you that I consider email addresses public information. However I don't consider my memberships public information. – Endophage Aug 19 '14 at 16:43
  • Validating email is also an important step in a signup process so this solution doesn't really raise the barrier to entry (and we're talking about signup only when we talk about barrier to entry). If you're building a platform where you don't care about a user's ability to recover their account, or your ability to contact them, that's fine, don't even bother collecting an email (Reddit doesn't require an email as an example). In my case however, we have paid users and it's important we can contact them and they can recover their account, so we have to work with valid emails. – Endophage Aug 19 '14 at 16:46
6

I think your best bet to prevent email enumeration in a situation like this is to add a CAPTCHA on your registration form. In order for an email enumeration attack to work an attacker must automate the submission of a very large number of emails to see which ones have accounts.

By adding a CAPTCHA you make it very difficult to effectively automate this type of attack and you can still give informative messages during registration.

Abe Miessler
  • 8,165
  • 10
  • 45
  • 72
  • 1
    We've discussed CAPTCHAs. I'm for them, but there is a consideration from other stakeholders that they create a barrier to entry, even if only shown after some number of failed attempts. +1 for a very valid answer though. – Endophage Dec 29 '13 at 04:04
  • 1
    If it's a targeted attack CAPTCHA won't help, if the sensible information is "Is this email registered to this website" you only need to test one email. I can see this as a sensible information for dating application, political website, health-related application, etc. – luxcem Dec 05 '18 at 14:59