Account enumeration on web applications
Why a generic message to prevent user enumeration is an acceptable user experience degradation to improve security
Recently I stumbled on this article : https://hackernoon.com/username-or-password-is-incorrect-is-bullshit-89985ca2be48
Here’s why Travis Jeffery’s idea about account enumeration is wrong.
TL;DR
This article is stating that using a vague message on Github degrades user experience and adds nothing to security because account enumeration is possible by other methods.
Thus, it states that the “user or password is incorrect” message is bullshit.
Here we’ll see the advantages of this technique and that this is not a black and white situation.
The “user or password is incorrect” message
Some web applications display a generic message when a login attempt failed. This message doesn’t let know if the wrong parameter is the username, the password or both.
In fact this adds a bit security by obscurity. If this is not a good technique to implement alone, this hardens the security posture by letting the least possible information go to the attacker.
In many web applications using this technique, the user account enumeration is possible by other means. For example by the password recovery module using e-mail addresses, user profiles or sign up module.
On Github, it is possible to enumerate users by the two last methods. If Travis is totally right about the fact that the message on login page is useless in this case this does not compromise the whole technique.
Using a specific example or the problem of risk evaluation
In a pentest we always evaluate the risk of the practical impact on the business. Thus user enumeration, or any other vulnerability, must be taken in the context.
The fact is that Github and Stripe are pretty bad examples to explain the usefulness of “the username or password is incorrect” in preventing account enumeration.
Let me take another, yet fictive, example.
For this, we will take a web application allowing our favorite stars to view the result of their cosmetic surgery in advance. They do not create their accounts because this step is done by the surgeon when they render the final result.
No one wants all the Earth to know what he or she will undergo this kind of surgery (except some fools but this is not the subject here). So if we can enumerate people we could try logins such as sjohansson to deduce the next title for our crap tabloid.
In this case, if no other public module is giving the hint, this message becomes a critical part of our security posture.
And this is the important part of our story, the security measures are always dependant on what information is critical for us.
Every security posture is different and most of security advises commonly aknowledged in the community are relevant at least for someone. So stop being so manicheous and consider the criticity of each case.
As a pentester every application, system or network is unique and you should take in account the context of your target. The risk should always be considered with the business impact in mind. So maybe “username or password incorrect” message is bullshit on Github and Stripe but certainly not in the general case because the general case does not exist in security.