Even without breaches, don't count on websites to hide that you have an account with them

Online dating websites Adult Friend Finder and Ashley Madison were exposed to account enumeration attacks, researcher finds

Victim of identity theft

Victim of identity theft

Companies often fail to hide if an email address is associated with an account on their websites, even if the nature of their business calls for this and users implicitly expect it.

This has been highlighted by data breaches at online dating sites AdultFriendFinder.com and AshleyMadison.com, which cater to people looking for one-time sexual encounters or extramarital affairs. Both were vulnerable to a very common and rarely addressed website security risk known as account or user enumeration.

In the Adult Friend Finder hack, information was leaked on almost 3.9 million registered users, out of the 63 million registered on the site. With Ashley Madison, hackers claim to have access to customer records, including nude pictures, conversations and credit card transactions, but have reportedly leaked only 2,500 user names so far. The site has 33 million members.

People with accounts on those websites are likely very concerned, not only because their intimate pictures and confidential information might be in the hands of hackers, but because the mere fact of having an account on those websites could cause them grief in their personal lives.

The problem is that even before these data breaches, many users' association with the two websites was not well protected and it was easy to discover if a particular email address had been used to register an account.

The Open Web Application Security Project (OWASP), a community of security professionals that drafts guides about how to defend against the most common security flaws on the Web, explains the issue. Web applications often reveal when a username exists on a system, either because of a misconfiguration or as a design decision, one of the group's documents says. When someone submits the wrong credentials, they may receive a message saying that the username is present on the system or that the password provided is wrong. Information obtained in this way can be used by an attacker to gain a list of users on a system.

Account enumeration can exist in multiple parts of a website, for example in the log-in form, the account registration form or the password reset form. It's caused by the website responding differently when an inputted email address is associated with an existing account versus when it is not.

Following the breach at Adult Friend Finder, a security researcher named Troy Hunt, who also runs the HaveIBeenPwned.com service, found that the website had an account enumeration issue on its forgotten password page.

Even now, if an email address that's not associated with an account is entered into the form on that page, Adult Friend Finder will reply with: "Invalid email." If the address exists, the website will say that an email was sent with instructions to reset the password.

This makes it easy for anyone to check if the people they know have accounts on Adult Friend Finder by simply entering their email addresses on that page.

Of course, a defense is to use separate email addresses that no one knows about to create accounts on such websites. Some people probably do that already, but many of them don't because it's not convenient or they are not aware of this risk.

Even when websites are concerned about account enumeration and try to address the problem, they might fail to do it properly. Ashley Madison is one such example, according to Hunt.

When the researcher recently tested the website's forgotten password page, he received the following message whether the email addresses he entered existed or not: "Thank you for your forgotten password request. If that email address exists in our database, you will receive an email to that address shortly."

That's a good response because it doesn't deny or confirm the existence of an email address. However, Hunt observed another telltale sign: When the submitted email didn't exist, the page retained the form for inputting another address above the response message, but when the email address existed, the form was removed.

On other websites the differences could be even more subtle. For example, the response page might be identical in both cases, but might be slower to load when the email exists because an email message also has to be sent as part of the process. It depends on the website, but in certain cases such timing differences can leak information.

"So here's the lesson for anyone creating accounts on websites: always assume the presence of your account is discoverable," Hunt said in a blog post. "It doesn't take a data breach, sites will frequently tell you either directly or implicitly."

His advice for users who are concerned about this issue is to use an email alias or account that is not traceable back to them.

Join the CSO newsletter!

Error: Please check your email address.

Tags Adult Friend FindersecurityExploits / vulnerabilitiesdata protectionAshley Madisonprivacy

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place