10

When we create a Google account, Google tells us whether an account with specified username exists or not.

enter image description here

Doesn't that lead to user enumeration?

Why not let users fill other information first, pass the CAPTCHA test, and then choose the email address after passing the CAPTCHA test? Would this really frustrate users?

Engineer
  • 177
  • 1
  • 9
  • 4
    What else could they do? Let you register the address, even if it is already registered by another user? Randomly reject a percentage of usernames in signups even though, they are not already registered? Or simply not letting users have any say in the matter, and just give them a generated address? – kasperd Aug 06 '14 at 21:09
  • @kasperd they could wait until you've completed the rest of the signup form before telling you. – user253751 Aug 06 '14 at 21:29
  • 3
    @immibis Users will get annoyed, if they have wasted time filling out all of that information, only to be told they cannot have the address they want. Besides, it wouldn't even slow down a bot attempting lots of different addresses. – kasperd Aug 06 '14 at 21:33
  • @kasperd The question is about security, not usability. The bot would have to create a real email account for every failed enumeration attempt. – user253751 Aug 06 '14 at 21:36
  • @immibis Whoever made such a bot wouldn't mind, if as a side effect lots of email accounts were created. However, keeping querying for names once you have found one, that is available, is suspicious behavior, regardless of whether you register the name or not. So it might very well be easy to detect and block. – kasperd Aug 06 '14 at 21:42
  • How do you know there is a real user `abc123`. Maybe google created it as a spam-bait account. Maybe google decided to create `abc123` as a spam-bait account just because you tried to register it. If google takes a random small fraction of proposed user names and turns them into spam bait accounts, then how effective is username enumeration? – emory Aug 07 '14 at 01:10
  • @kasperd It would trigger their normal mechanisms for preventing account spam (IIRC, GMail requires a verified phone number) – user253751 Aug 07 '14 at 03:12
  • @immibis Nobody is preventing Google from using those methods earlier in the process. – kasperd Aug 07 '14 at 06:59
  • Related: http://security.stackexchange.com/questions/62661/generic-error-message-for-wrong-password-or-username-is-this-really-helpful – user11153 Aug 07 '14 at 11:08

2 Answers2

16

Email accounts are not private, so there is little risk to discover a certain address. The same thing could be accomplished by sending an email to random accounts and see what bounces back.

Email account enumeration is not the risk as much as true user enumeration is.

schroeder
  • 125,553
  • 55
  • 289
  • 326
4

Yes, but not efficient user enumeration if they rate limit requests, require evidence of humanity, or lie with increasing probability after a number of requests.

Besides, most large webmail systems rely on heuristic spam filters instead of the unguessability of email addresses to limit the amount of spam that reaches your inbox.

Mike Samuel
  • 3,873
  • 18
  • 25
  • i did not get what you mean by efficient user enumeration – Engineer Aug 06 '14 at 16:40
  • 1
    @Engineer, If the cost of enumerating the n-th email address by this method is less than the benefit that comes from knowing the email address, then an attacker can profit from doing so. If enumerating is hard/inefficient, then there are fewer attackers who would benefit so the system is less *vulnerable*. – Mike Samuel Aug 06 '14 at 16:50
  • Why not let users fill other information first, pass the CAPTCHA test, and then choose the email address after passing the CAPTCHA test? – Engineer Aug 07 '14 at 10:52
  • @Engineer, as schroeder points out, email accounts are not private, so there's little gain, and early captchas might lead to fewer legitimate account creations because users might be more willing to do a captcha after they're invested in a name they've chosen. – Mike Samuel Aug 07 '14 at 11:29