What is User Enumeration? How to Enumerate Registered Users of any Website like Facebook and Twitter




An enumeration is a complete, ordered listing of all the items in a collection. The term is commonly used in mathematics and computer science to refer to a listing of all of the elements of a set. 


Enumeration in information security is the process of extracting user names, machine names, network resources, and other services from a system. All the gathered information is used to identify the vulnerabilities or weak points in system security and then tries to exploit it. There are many types of enumeration.

User Enumeration: 

User enumeration is when a malicious actor can use brute-force to either guess or confirm valid users in a system. User enumeration is often a web application vulnerability, though it can also be found in any system that requires user authentication.


Enumeration is the process of identifying users accounts, usernames, emails and other resources. Basically, It is the process to gather information.


How To Enumerate?

The most common areas where user enumeration occurs are in a site's registration or login page and its ‘Forgot Password' functionality.
 

Facebook Users Email and Mobile number Enumeration through Login


Steps:

First of all visit http://free.facebook.com/
Secondly, enter any email address(not connected to any fb account) in email and leave the password field blank.
Next click on 'Login'
Now you'll receive an error 
"The email address that you've entered doesn't match any account."
 
 



Again, enter your correct email address(connected to your fb account) in email and leave the password field blank.
Next click on 'Login'
Now you'll receive an error 

"The password you entered is incorrect"







If the email is not registered you'll get first error, If the email is registered u'll receive a second error.

instead of this error "Invalid username or password"


Also, check this behaviour on other subdomains
Now check mobile phone numbers
Similarly, enter a mobile phone number in email address or mobile and check the error.

Number Not Registered




Registered number







So, 
By Bruteforcing we can gather and collect all registered emails and numbers of Fb users.



 Length 2351 means 2000 indicates that number is registered with any Facebook user account and 1962 means 1000 indicates that number is not registered or connected with Facebook.

 
Through this, we can identify a huge number of registered email address and mobile phone no of Facebook users by Brute forcing.




Twitter Users Username and Email Enumeration through API:

First, visit this link

http://api.twitter.com/i/users/email_available.json?email=(email)
or
http://api.twitter.com/i/users/username_available.json?username=(user)


After email= or username= , enter any email address or username. If the email or username is registered then you'll get the response
"Email has already been taken"
"Username has already been taken"
&
If not, u'll get the response "Available"

By Bruteforcing,

Length: 1050 or + indicates that user exists with this email




Length: 1030 indicates that user doesn't exist with this email





  
Through this, we can identify a huge number of registered username and email address of Twitter users by Brute forcing. 
 


Remediation

There are lot of ways to prevent this,
  • Handle Errors properly or correctly
  • Apply Rate Limit
  • Use Captcha
  • Use WAF (Web Application Firewall)

Login
  • Make sure to return a generic “No such username or password” message when a login failure occurs.
  • Make sure the HTTP response, and the time taken to respond are no different when a username does not exist, and an incorrect password is entered.
Password Reset
  • Make sure your “forgotten password” page does not reveal usernames.
  • If your password reset process involves sending an email, have the user enter their email address. Then send an email with a password reset link if the account exists.
Registration
  • Avoid having your site tell people that a supplied username is already taken.
  • If your usernames are email addresses, send a password reset email if a user tries to sign-up with an existing address.
  • If usernames are not email addresses, protect your sign-up page with a CAPTCHA.


 
Conclusion:

 Allowing enumeration of users (username, email and mobile phone number etc.) has no direct security implications itself, but could result in other types of vulnerabilities and attacks which compromise the users security.

Thanks for reading.

Comments

Post a Comment

Popular posts from this blog

XSS like a Pro

Image
Hello Friends, I'm gonna share my interesting finding here. Recently,  About two months ago,  I received a private invitation on Bugcrowd and the next day I started to look for bugs on that website because there was only one target (testing site) in scope and they provided me some credentials. I can't disclose the site name, so let's assume https://redacted.com First of all, I logged-in to that site (redacted.com) with the provided credentials and inspected the site around 15 minutes and tried to understand it. After that, I started to look for bugs and found multiple bugs mostly stored XSS. At that day, I had found a total 11 vulnerabilities. I reported them and received a bounty on each report. So, I'm not disclosing the bounties. Also, I'm not sharing my all findings but some. So,  At the beginning, I tried to change my default password and successfully changed my password to '1' which was the first bug that there is no password policy.
Read more

Email Spoofing for Beginners

Image
Hello Everyone, Greetings to all, In this article, I'll talk about email spoofing in a little depth. So, First of all What is Email Spoofing?  If you already know about email spoofing then congratulations But don't worry if u don't know about email spoofing. Email spoofing is a tactic used in phishing and spam campaigns because people are more likely to open an email when they think it has been sent by a legitimate source. It's not a new technique. It's a very old technique and still widely used in phishing and scamming. This article is going to be interesting and I'll try to short this long article as much simple as possible. Recently, my friend ask me How it's possible to spoof an email? So, there are a lot of questions related to this issue.  When a Domain is Spoofable? It is just as simple in an email as well because email protocols (SMTP) lack authentication. Anyone with a little basic knowledge can able to send an email wit
Read more

DoS on WAF Protected Sites by Abusing Cookie

Image
Hi Folks, Today, I'm gonna share one of my interesting finding in bug bounty. I occasionally hunt bugs in bug bounty in my free time. So, I don't have enough time to blog. But on someone request, I share some of my bug bounty findings here. I like to find some interesting and logical bugs. Recently, I found an interesting bug in many sites but I can't disclose the name of every website, one website 'Upwork' already patched this bug and resolved the report that's why I disclose the name. So, what's the bug?   Denial of Service (DoS) > Single user cookie based DoS There are a lot of websites using WAF like Cloudflare etc. When the Cookie sets with malicious characters(like"><script> alert(1)</script> mean  with XSS or SQLI payloads etc.) value, the site WAF like Cloudflare block us from accessing that website, we need to remove that cookie to access the site Many websites sets 'Referrer'
Read more