Veris: User enumeration via error message

2016-03-16T00:07:44
ID H1:123496
Type hackerone
Reporter zuh4n
Modified 2016-03-18T05:59:17

Description

Hi guys,

Well, the issue is in authentication process, an attacker able to enumerate registered users on the site via brute forcing the login page, in case when user is not exist, system returns the following error message: "User not exist", in case when user exist, but incorrect password: "Password does not match".

Mitigation: handle the above situation correctly, e.g.: "Login failed. Invalid user ID or password". This doesn't inform the attacker on which credential is wrong and make enumeration more difficult

Thanks