Identity Management / Enumerable or Guessable User Accounts
Description
Enumerable or guessable user accounts, classified as CWE-203: Observable Discrepancy, is an identity management vulnerability that occurs when it is possible to check for and collect valid login usernames by interacting with the service, without knowledge of the specific account credentials. This vulnerability can occur in web applications and APIs, and can be exploited by attackers to specifically target known accounts. According to the OWASP Testing Guide, this vulnerability can be tested for by e.g. analyzing the response of the system to authentication requests or probing access to profile pages. If the server specifically responds with a message that the account does not exist, instead of responding that the combination of username and password as a whole is incorrect, it may be inferred whether a certain username is valid or not. Another issue could be that the timing between existing and non-existing user account is different (side-channel attack). Easily guessable user account names, such as usernames with a guessable pattern (e.g. user0001, user0002, ...) or often used names (e.g. admin, test) also make this vulnerability easier to exploit.
Risk
The exploitation of guessable user accounts can allow an attacker to collect valid usernames, which can be used as information for subsequent attacks, including social engineering, credential stuffing or other attacks requiring valid usernames.
Solution
Guessable user accounts can be mitigated by following best practices for user account management. Authentication responses should not reveal other information apart from whether the login as a whole was successful or not. When email addresses are used as login names, "Forgot Password" forms should not reveal whether the email address is registered with the system or not. Other requests which require usernames should prevent enumeration of usernames, e.g. by rate limiting, CAPTCHAs, or requiring additional information such as a server signature of the request parameters. Default or test accounts should be removed before moving to a production system. Additionally, user authentication should be monitored.