Vulnerability Report : Information Disclosure via Forget Password
Posted: Thu May 27, 2021 8:13 pm
Hi,
URL:https://forums.kaomaris.com/
Description:
I noticed a small information leak which allows an attacker to check whether an email address is associated with an account.
Proof of concept:
If we enter any registered email on the forgot password area we got response like this. See the screenshot below.
image.png
And If we enter any unregistered email on forgot password area we got response like this. See the screenshot below.
image.png
Means for both cases we are having different responses. So an attacker can test large number of email addresses that are registered on your website and which are not registered .
Impact:
Attackers will be able to identify which accounts are registered on your website.
Suggested fix:
You should always return a status message like: "If your email exists in our database, you'll receive a reset link". That way an attacker cannot distinguish between the two cases.
Looking forward to your response.
Thanks
Sincerely,
Hassam
URL:https://forums.kaomaris.com/
Description:
I noticed a small information leak which allows an attacker to check whether an email address is associated with an account.
Proof of concept:
If we enter any registered email on the forgot password area we got response like this. See the screenshot below.
image.png
And If we enter any unregistered email on forgot password area we got response like this. See the screenshot below.
image.png
Means for both cases we are having different responses. So an attacker can test large number of email addresses that are registered on your website and which are not registered .
Impact:
Attackers will be able to identify which accounts are registered on your website.
Suggested fix:
You should always return a status message like: "If your email exists in our database, you'll receive a reset link". That way an attacker cannot distinguish between the two cases.
Looking forward to your response.
Thanks
Sincerely,
Hassam