User Accounts Enumerable

[cpitkin]

Overview:
The application's response when using the forgot password functionality on the Administrator login page allows for account enumeration. The user is required to enter an e-mail in order to reset their password. If an invalid email account is used an error is returned to the user.

Severity: LOW
An attacker may generate a list of known-valid accounts and then perform a password guessing attack to compromise an account in order to gain unauthorized access to the application.

Recommendation:
The application should be modified to display the same message to the user initiating the password reset process whether the username is matched or not. When the user submits the username or email address, the application should respond with an identical message for both success and failure. For example, the application could use a message such as "A secure link to reset your password has been sent via email if the username and email address matched your account information."

Reference:
https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication