GHT2-008 --- Account Registration Allows User Enumeration
4.8 GHT2-008 --- Account Registration Allows User Enumeration
Vulnerability ID: GHT2-008
Retest status:
Vulnerability type: User Enumeration
Threat level: Moderate
Description: {#description-7 .title-findingsection}
Usernames can be enumerated by abusing the new registration functionality.
Technical description: {#technical-description-7 .title-findingsection}
If an account already exists, the follow error is shown:
Affected fields:
- email address
- username
Impact: {#impact-7 .title-findingsection}
- Valid user names can be enumerated and used in further attacks.
Recommendation: {#recommendation-7 .title-findingsection}
- Modify the functionality to return only a generic response that makes it impossible to distinguish between a valid username and an invalid one, and implement a Captcha.