Security Sense: Most Websites Already Tell Everyone You Have an Account

Security Sense: Most Websites Already Tell Everyone You Have an Account

Last week I wrote about the enormously sensitive nature of the Adult Friend Finder data breach. Here we have a situation where deeply personal attributes had been insufficiently secured and were now out on the web for anyone to find. Now when I say “deeply” personal, I’m talking about things like the victims’ sexual orientation, their bedroom preferences with their partner of choice and indeed just the very fact that they were looking for sexual encounters. For many, that last point leaves them in a bit of a quandary as it may have been unbeknownst to their wife / husband / significant other.

But here’s the problem with that as it relates to the AFF data breach: this isn’t a new thing. I mean discovering that someone is out there looking to hook up isn’t a new thing and it’s not new because many websites will tell you this anyway well before they’re breached. How on earth is this possible?! It’s easy, it’s a “feature”.

Here’s how it works:

  1. Go to the site you want to check an account on
  2. Attempt to reset the password

That is all. AFF, like the majority of websites, will happily tell you if the account exists or not. Mind you, it’s a bit implicit and what you’ll inevitably see is either a message saying something along the lines of “We’ve just sent you a password reset email” or “Your email address doesn’t exist on the system”. And there you have it – privacy now eroded.

This is referred to as an enumeration risk in that whilst it doesn’t explicitly disclose a list of users on the system, it does allow you to ask that system – one by one – if users exist on it. It means you can take a great big list of email addresses (these are easily bought or found for free – such as on your company’s intranet…) and simply enumerate through them. If there’s no anti-automation protection such as a CAPTCHA or brute force defences on the target site (which there frequently isn’t), you can entirely automate the process.

But what if the password reset page isn’t disclosing the presence of an account? I mean what if the site has actually built a secure password reset feature which gives the same response regardless of whether the account exists or not? No problem, you can almost certainly achieve the same end by attempting to register a new account with the email address. If it succeeds, they didn’t have an account (although they do now!) but if the site responds with “That email address is already registered”, well…

And this is really the whole point: yes it’s terrible that AFF had the data breach and yes the presence of one’s personally identifiable email address in that breach is unquestionably a very uncomfortable position for many to find themselves in but no, this is not a new threat. The risk of disclosure of one’s participation in most online services has always been there expect we don’t think of it as that; it’s normally referred to as a “feature”!

Troy Hunt
http://troyhunt.com
@troyhunt
Microsoft MVP - Developer Security 

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish