Authentication / Time-based User Enumeration

Description

The application concerned can be used to find out whether user accounts (e-mail addresses) exist in the system. This is done by a so-called time-based user enumeration. Depending on whether a user exists or not, the request to the endpoint takes different lengths of time. In order to reduce the influence of the system and thus the number of false positives, it is necessary to perform this test several times in order to subsequently determine the statistical mean value. Afterward, it can be determined with high probability if an email address exists or not.

Risk

An attacker could use the affected endpoint to check whether email addresses exist in the system.

Solution

Adjust password verification so that a login attempt with an unknown user account has a similar response time.