Email enumeration in password reset

[mirko-kienle]

Hi, we've just finished building our first Statamic site for a client. The client has now had a security assessment run by an external infosec firm and one of their findings was the following:

Description: User enumeration is when an attacker can determine if a username presented to the application is valid or not, due to the message returned from the server in response to authentication or password reset type of facility. This would allow the attacker to gain a list of valid usernames which could then be utilised in a brute-force attack or targeted phishing.

Details: During the assessment a method of username enumeration was identified. Using the forgotten password function, the system would identify if the account entered was valid upon submission responding to the user with a non- generic message. If the account provided was valid then the system would respond that the email had been successfully sent; if the account was not valid then the user would receive a notification that a user could not be found with an email address. Given that no generic message is provided when the function is used, and that during the testing no rate limiting was identified for this; a malicious user can automate these requests to identify a list of valid usernames.

This concerns the password reset functionality at /cp/auth/password/reset.

I've seen that you explicitly mention "Username or email address enumeration" as non-qualifying vulnerabilities in your security policy.

I guess my question would be why? It is a clear attack vector, even if the possible uses are limited. Best practice would seem to be serving generic messages instead of providing feedback on the (in)validity of submitted email addresses. Any guidance would be appreciated, thanks! I'm happy to open a corresponding issue if that's the best course of action.

[edalzell]

Sounds like a good feature request, I'd open it on the ideas repo.

[mirko-kienle]

Thanks for pointing me in the right direction @edalzell, appreciate it

[mirko-kienle]

statamic/ideas#752