Businesses often fail to hide if an email address is associated with an account on their websites, even though the nature of their business requires it and users implicitly expect it.
This was highlighted by data breaches on the online dating sites AdultFriendFinder.com and AshleyMadison.com, which cater to people looking for one-off sex or extramarital affairs. Both were vulnerable to a very common and rarely discussed website security risk known as enumeration of accounts or users.
In the Adult Friend Finder hack, information was leaked about nearly 3.9 million registered users, of the 63 million registered on the site. With Ashley Madison, hackers claim to have access to customer recordings, including nude photos, conversations and credit card transactions, but have reportedly only disclosed 2,500 usernames so far. The site has 33 million members.
People with accounts on these websites are probably very concerned, not only because their intimate photos and confidential information may be in the hands of hackers, but because simply having an account on these websites could cause them grief in their personal lives.
The problem is that even before these data breaches, many users’ association with the two websites was not well protected and it was easy to find out if a particular email address had been used to create an account.
The Open Web Application Security Project (OWASP), a community of security professionals who write guides on how to defend against the most common security breaches on the web, explains the problem. Web apps often reveal that a username exists on a system, either due to misconfiguration or a design decision, one of the group’s documents says. When someone submits incorrect credentials, they may receive a message indicating that the username is present on the system or the password provided is incorrect. The information thus obtained can be used by an attacker to obtain a list of users on a system.
The account enumeration can exist in multiple parts of a website, for example in the login form, account registration form, or password reset form. This is because the website reacts differently when an entered email address is associated with an existing account and when it does not.
In the wake of the Adult Friend Finder breach, a security researcher named Troy Hunt, who also runs the HaveIBeenPwned.com service, found that the website had an account enumeration problem on his forgot password page.
Even now, if an email address not associated with an account is entered in the form on this page, Adult Friend Finder will respond with: “Invalid Email”. If the address exists, the website will indicate that an email was sent with instructions to reset the password.
This makes it easy for anyone to check if people they know have accounts on Adult Friend Finder by simply entering their email addresses on this page.
Of course, one defense is to use separate email addresses that no one knows to create accounts on these websites. Some people probably already do this, but a lot of them don’t because it’s impractical or they aren’t aware of the risk.
Even when websites are concerned with listing accounts and trying to fix the problem, they may not do it correctly. Ashley Madison is one example, according to Hunt.
When the researcher recently tested the website’s forgot password page, he received the following message indicating whether or not the email addresses he entered existed: “Thank you for your forgot password request. If this email address exists in our database, you will receive an email at this address shortly. ”
This is a good answer because it does not deny or confirm the existence of an email address. However, Hunt observed another telltale sign: When the submitted email did not exist, the page kept the form to enter another address above the reply message, but when the email address did exist, the form was deleted.
On other websites, the differences could be even more subtle. For example, the response page might be the same in both cases, but might be slower to load when the email exists because an email must also be sent as part of the process. It depends on the website, but in some cases such timing differences can lead to information leakage.
“So here’s the lesson for anyone setting up accounts on websites: Always assume that your account’s presence is discoverable,” Hunt said in blog post. “There shouldn’t be a data breach, sites will often tell you that directly or implicitly.”
His advice to users concerned about this issue is to use an email alias or account that doesn’t allow them to trace.
Copyright © 2015 IDG Communications, Inc.