blockchain Enumeration attack dangers While auditing Web applications, our experts found a vulnerability to enumeration attacks. Here is a description of the problem and how to combat it. Nikolay Pankov April 2, 2020 Recently, while testing a blockchain platform for vulnerabilities, our Kaspersky Blockchain Security experts found that the platform’s password recovery process was vulnerable to an attack through user name enumeration. Web developers need to be aware of this kind of attack and its dangers. What’s an enumeration attack? Web applications with password and login authentication typically include several components that interact with the user database: the login window (for obvious reasons), the registration form (to avoid duplication of user names), and the password reset page (to make sure that the corresponding account exists). If Web developers do not implement these features securely enough, attackers may be able to use them to determine if a certain username exists in the database. In the past, it was common for developers to implement all of those features without any protection, and attackers could use a list of usernames and a program that entered them one by one. Over time, to keep potential hackers out, developers began to apply protective tricks such as captcha, limits on the number of login attempts, and the use of asterisks or other means to conceal certain response details. In modern Web applications, the login window usually has this kind of protection. However, registration forms and password reset pages sometimes lack it. In addition, Web developers do not always consider that the presence or absence of a user in the database can be determined by the timing of the server response. For example, if the user name appears in the database, the server’s response takes 2 milliseconds. If not, the response takes twice as long — 4 milliseconds. To a human being, the difference is undetectable, but for automated enumeration tools, it’s easy to see. The dangers of a user name enumeration attack An enumeration attack allows a hacker to check whether a name exists in the database. That will not allow the hacker to log in immediately, but it gives them half of the necessary information. For example, to set up a brute-force attack, rather than searching through login and password pairs, all they need is a matching password for a verified user name, saving time and effort. Remember as well that almost every service uses e-mail addresses as user names. Therefore, the average user has one login for many websites, and not all sites take security equally seriously; news of login and password combination leaks is depressingly common. Consolidated collections of data from these leaks are available on hacker message boards. Also, people tend to use the same passwords on different websites, so after making sure that a user name exists on your website, an attacker can tap a collection like that to see if passwords for the same user exist on other sites — and then try those passwords. In addition, spear-phishing operators often employ enumeration attacks during the reconnaissance phase. Having ascertained that their target has an account with your service, they can send an e-mail that appears to come from you, asking the user to change their password and linking to a phishing page that looks like your website. When the unsuspecting customer enters a new password, they also have to confirm the old one — and thus provide the scammers with all they need. How to protect yourself from an enumeration attack Have you ever noticed how modern websites respond to the submission of a password reset form? They do not say “A link to reset your password has been sent to you” or “The specified e-mail is not in our database,” as websites used to. Instead, they write, “If this e-mail exists in our database, we will send you a message with a link.” In other words, websites do not explicitly confirm or deny the existence of the user name. They made the change specifically to protect against enumeration attacks. In the same vein, there is no need for you to explain in detail in the login window that the user entered an incorrect password or that no such user name exists in the system. Just say that the login/password combination was not found. It’s not ideal from a UX standpoint — I, for one, get exasperated when I forget which e-mail I used for registration but I’m pretty sure about the password, or vice versa, but the website gives me no clue about which field I got wrong. However, security virtually always comes at the cost of comfort, and in the case of authentication services, a minor security bias is justified. Of course, use of a captcha and limitations on login attempts are also a must. In addition to that, to ensure the security of your Web application, we recommend undergoing a third-party audit. And if you are in blockchain technology, our colleagues from Kaspersky Blockchain Security can help with Web application security analysis.
Read next Transatlantic Cable podcast, episode 136 In this episode, Dave and Jeff sit down with Kristina Shingareva to discuss the stalkerware problem.
Tips How to set up security and privacy in Strava Want to keep your runs, rides, and hikes private on Strava? This guide will walk you through the essential privacy settings in this popular fitness app.
Tips Run for your data: Privacy settings in jogging apps Running apps know a lot about their users, so it’s worth setting them up to ensure your data doesn’t fall into the wrong hands. Here’s how.
Tips When you get a login code for an account you don’t have What to do if you receive a text with a two-factor authentication code from a service you’ve never registered for.
Tips School and cyberthreats Why cybersecurity in education is critical, and how to protect schools from attacks.