Email enumeration via sending a magic sign in link functionality in healthchecks/healthchecks
Reported on
Jan 20th 2023
Description
The sending a magic sign in link functionality is vulnerable to an email enumeration attack.
Proof of Concept
If you enter registered email, you will get Login Link Sent! message.
If you enter non-registered email, you will get Unknown email address. message.
Impact
Email enumeration allows an attacker to find valid usernames/emails on the victim application. It can use this information to do more advanced attacks like bruteforcing passwords or phishing attemps.
SECURITY.md
10 months ago
Hello bAu, thank you for the report!
Looking into it, the same issue also exists at the registration form–it returns either "Account created, please check your email!" or "An account with this email address already exists.".
It's unfortunate usability and security is at conflict here. Users sometimes confuse the login and the signup forms, and then it is helpful to tell them something along the lines of "an account with this address does not exist, did you mean to sign up?"
The changes I'm planning to make:
- in both login and signup forms, always return a "Please check your email account for the provided address!" (or similar) message.
- add rate limiting by client IP for the login action (the signup action already has rate limiting)
Thanks, Pēteris
