2

I was registering on an e-commerce website (no, I'm not gonna name it), when, due to my pentest nature, I captured the GET request for resending a confirmation email.

Kinda like: http://www.example.com/resend?email=someguy%40domain.com

What I noticed was, when I entered a registered email (on the website, my friend's account) as the GET request, I saw a blank page. When I entered an unregistered but existent email (my alternate email), i got redirected to the homepage, i.e. ecommerce.com

Is this a serious vulnerability? All it can tell is if someone is registered or not, but then again, a python script and you could process it all quite fast.

Should I report this?

forest
  • 66,706
  • 20
  • 212
  • 270
poiasd
  • 63
  • 4

2 Answers2

5

You are right in that is an information disclosure, someone can easily discover valid usernames and then try and crack their security. If I was the site owner I'd like to know about it. Ideally you would notify the site owner, they may have an email address for that or a contact us link you could use.

The one caveat is that some places have misguided anti-hacking laws which make even ethical hacking illegal. Germany is an example although in practice they don't seem to be chasing people for performing helpful acts. It's highly unlikely that any negatives would come from this, and who knows, they may even send you a t-shirt or pay your a bug bounty.

GdD
  • 17,399
  • 2
  • 42
  • 64
  • Well I'm in India, so I doubt that they would try and sue me, but I'll report it to them right away. Thanks! – poiasd Sep 23 '14 at 08:16
  • Good for you for doing that. And a good pickup on the issue itself. – GdD Sep 23 '14 at 13:59
2

This is not a serious vulnerability - its username enumeration. By itself its a Low risk vulnerability.

By itself its difficult to use as you need to guess valid email address to determine if they have an account.

Where it becomes useful is if you have previous breach data with a list of emails and plaintext credentials. You can use the enumeration to determine if a user is registered and then test credentials from the previous breach against it to try and gain access.

The reason its low is by itself the disclosed information is not that useful, its only when you chain it with credential data that may or may not match the target system will it be useful.

McMatty
  • 3,270
  • 1
  • 9
  • 16