What is User Enumeration? How to Enumerate Registered Users of any Website like Facebook and Twitter




An enumeration is a complete, ordered listing of all the items in a collection. The term is commonly used in mathematics and computer science to refer to a listing of all of the elements of a set. 


Enumeration in information security is the process of extracting user names, machine names, network resources, and other services from a system. All the gathered information is used to identify the vulnerabilities or weak points in system security and then tries to exploit it. There are many types of enumeration.

User Enumeration: 

User enumeration is when a malicious actor can use brute-force to either guess or confirm valid users in a system. User enumeration is often a web application vulnerability, though it can also be found in any system that requires user authentication.


Enumeration is the process of identifying users accounts, usernames, emails and other resources. Basically, It is the process to gather information.


How To Enumerate?

The most common areas where user enumeration occurs are in a site's registration or login page and its ‘Forgot Password' functionality.
 

Facebook Users Email and Mobile number Enumeration through Login


Steps:

First of all visit http://free.facebook.com/
Secondly, enter any email address(not connected to any fb account) in email and leave the password field blank.
Next click on 'Login'

Now you'll receive an error 
"The email address that you've entered doesn't match any account."
 
 



Again, enter your correct email address(connected to your fb account) in email and leave the password field blank.
Next click on 'Login'

Now you'll receive an error 

"The password you entered is incorrect"







If the email is not registered you'll get first error, If the email is registered u'll receive a second error.

instead of this error "Invalid username or password"


Also, check this behaviour on other subdomains
Now check mobile phone numbers
Similarly, enter a mobile phone number in email address or mobile and check the error.

Number Not Registered




Registered number







So, 
By Bruteforcing we can gather and collect all registered emails and numbers of Fb users.



Length 2351 means 2000 indicates that number is registered with any Facebook user account and 1962 means 1000 indicates that number is not registered or connected with Facebook.

 
Through this, we can identify a huge number of registered email address and mobile phone no of Facebook users by Brute forcing.





Twitter Users Username and Email Enumeration through API:

First, visit this link

http://api.twitter.com/i/users/email_available.json?email=(email)
or
http://api.twitter.com/i/users/username_available.json?username=(user)


After email= or username= , enter any email address or username. If the email or username is registered then you'll get the response
"Email has already been taken"
"Username has already been taken"
&
If not, u'll get the response "Available"

By Bruteforcing,

Length: 1050 or + indicates that user exists with this email




Length: 1030 indicates that user doesn't exist with this email





  
Through this, we can identify a huge number of registered username and email address of Twitter users by Brute forcing. 
 


Remediation

There are lot of ways to prevent this,

  • Handle Errors properly or correctly
  • Apply Rate Limit
  • Use Captcha
  • Use WAF (Web Application Firewall)

Login
  • Make sure to return a generic “No such username or password” message when a login failure occurs.
  • Make sure the HTTP response, and the time taken to respond are no different when a username does not exist, and an incorrect password is entered.
Password Reset
  • Make sure your “forgotten password” page does not reveal usernames.
  • If your password reset process involves sending an email, have the user enter their email address. Then send an email with a password reset link if the account exists.
Registration
  • Avoid having your site tell people that a supplied username is already taken.
  • If your usernames are email addresses, send a password reset email if a user tries to sign-up with an existing address.
  • If usernames are not email addresses, protect your sign-up page with a CAPTCHA.


 
Conclusion:

Allowing enumeration of users (username, email and mobile phone number etc.) has no direct security implications itself, but could result in other types of vulnerabilities and attacks which compromise the users security.



Thanks for reading.

Comments

Popular posts from this blog

A Tricky Open Redirect

DoS on WAF Protected Sites by Abusing Cookie

Email Spoofing for Beginners