Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Even without breaches, don't count on websites to hide that you have an account with them

Lucian Constantin | July 27, 2015
Companies often fail to hide if an email address is associated with an account on their websites, even if the nature of their business calls for this and users implicitly expect it.

This makes it easy for anyone to check if the people they know have accounts on Adult Friend Finder by simply entering their email addresses on that page.

Of course, a defense is to use separate email addresses that no one knows about to create accounts on such websites. Some people probably do that already, but many of them don't because it's not convenient or they are not aware of this risk.

Even when websites are concerned about account enumeration and try to address the problem, they might fail to do it properly. Ashley Madison is one such example, according to Hunt.

When the researcher recently tested the website's forgotten password page, he received the following message whether the email addresses he entered existed or not: "Thank you for your forgotten password request. If that email address exists in our database, you will receive an email to that address shortly."

That's a good response because it doesn't deny or confirm the existence of an email address. However, Hunt observed another telltale sign: When the submitted email didn't exist, the page retained the form for inputting another address above the response message, but when the email address existed, the form was removed.

On other websites the differences could be even more subtle. For example, the response page might be identical in both cases, but might be slower to load when the email exists because an email message also has to be sent as part of the process. It depends on the website, but in certain cases such timing differences can leak information.

"So here's the lesson for anyone creating accounts on websites: always assume the presence of your account is discoverable," Hunt said in a blog post. "It doesn't take a data breach, sites will frequently tell you either directly or implicitly."

His advice for users who are concerned about this issue is to use an email alias or account that is not traceable back to them.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.