Companies often fail to hide if an email address is associated with an account on their websites, even if the nature of their business calls for this and users implicitly expect it.
This has been highlighted by data breaches at online dating sites AdultFriendFinder.com and AshleyMadison.com, which cater to people looking for one-time sexual encounters or extramarital affairs. Both were vulnerable to a very common and rarely addressed website security risk known as account or user enumeration.
In the Adult Friend Finder hack, information was leaked on almost 3.9 million registered users, out of the 63 million registered on the site. With Ashley Madison, hackers claim to have access to customer records, including nude pictures, conversations and credit card transactions, but have reportedly leaked only 2,500 user names so far. The site has 33 million members.
People with accounts on those websites are likely very concerned, not only because their intimate pictures and confidential information might be in the hands of hackers, but because the mere fact of having an account on those websites could cause them grief in their personal lives.
The problem is that even before these data breaches, many users' association with the two websites was not well protected and it was easy to discover if a particular email address had been used to register an account.
The Open Web Application Security Project (OWASP), a community of security professionals that drafts guides about how to defend against the most common security flaws on the Web, explains the issue. Web applications often reveal when a username exists on a system, either because of a misconfiguration or as a design decision, one of the group's documents says. When someone submits the wrong credentials, they may receive a message saying that the username is present on the system or that the password provided is wrong. Information obtained in this way can be used by an attacker to gain a list of users on a system.
Account enumeration can exist in multiple parts of a website, for example in the log-in form, the account registration form or the password reset form. It's caused by the website responding differently when an inputted email address is associated with an existing account versus when it is not.
Following the breach at Adult Friend Finder, a security researcher named Troy Hunt, who also runs the HaveIBeenPwned.com service, found that the website had an account enumeration issue on its forgotten password page.
Even now, if an email address that's not associated with an account is entered into the form on that page, Adult Friend Finder will reply with: "Invalid email." If the address exists, the website will say that an email was sent with instructions to reset the password.
Sign up for CIO Asia eNewsletters.