Fix username enumeration vulnerability #2184
Conversation
jayjay-w
force-pushed
the
CV2-5909-generic-responses-when-creating-user
branch
2 times, most recently
from
4a618df to
fe67c0a
Compare
When creating a user account using an email that has already been taken, or when logging in with an email that does not exist in the database, the error messages should be generic and should not indicate that the email already exists, or that the email does not exist (in the case of logins) Here we are adding the tests for this behaviour.
jayjay-w
force-pushed
the
CV2-5909-generic-responses-when-creating-user
branch
from
fe67c0a to
f721f1c
Compare
When registering new users, respond with the same message whether the email address exists or not.
|
Code Climate has analyzed commit 7a9de42 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (100% is the threshold). This pull request will bring the total coverage in the repository to 100.0% (0.0% change). View more on Code Climate. |
There was a problem hiding this comment.
@jayjay-w , code looks good, and I also executed the two tests you implemented and they look good as well. Just one thing I noticed, this is why I'm leaving this review as "comment"... for both cases (email exists and email doesn't exist), we return the "Please check your email" message, but with different design/behavior from Check Web:
User doesn't exist:
User exists:
Can you please:
- Check if there is a way to unify that from the backend side?
- If not, file a ticket for the frontend work that is needed?
|
Thank you for your review, @caiosba. I checked the implementation and this will need more work on the front end side to change the behavior. This is because:
In the current set up, an attacker would know whether an email exists or not, just by the behavior of the pages, even if we change the messages to be uniform. I will open a ticket so that we can discuss on the best way to update the workflow. |
|
@jayjay-w , what's the difference in the API response between these cases? |
|
In the API layer, the responses are the same ( The difference is in the payload. When a registration is successful, we return the new User object in the response. So the question is whether we should change the successful response to not return the user object. If we do this, then the two scenarios will behave the same, however we will have lost the current UX for successful sign ups. |
@jayjay-w I think we should make the response be exactly the same for both cases... do you see any issues with that? |
No that should be OK, other than the fact that a user who has successfully signed up will still see the form with an error message. As discussed, we will change the approach to return a 200 response in the case where the user signs up successfully and where the only error is an email that's already in use. |
Thanks, I'm going to add a comment to the ticket with the other things we discussed. |
- Change the message that's shown on successful sign up - Treat successful sign up and duplicate email flows the same way
![codeclimate[bot]](https://avatars.githubusercontent.com/in/9403?s=60&v=4){kind=small}
There was a problem hiding this comment.
Great work, @jayjay-w ! I tested locally that for both cases (email exists and email doesn't exist), the error message is the same and the request response is the same too. I also confirmed that the password error is displayed and that users are still able to register and login. Before merging, please fix the Code Climate issue and make sure that all tests are passing and that the code is 100% covered.
Description
When creating a user account any error messages should be generic and should not indicate that the email already exists, or that the email does not exist.
References: CV2-5909
How has this been tested?
Confirmed that the error messages when registering with an existing email or when registering in with a non-existent email are generic and do not leak details about the email addresses stored in the database.
Checklist