.png)
4 hours ago
6 BOOK THIS SPACE FOR AD
ARTICLE ADIn the Name of Allah, the Most Beneficent, the Most Merciful.
All the praises and thanks be to Allah, the Lord of the ‘Alamin (mankind, jinns and all that exists)
Good day! I hope this message finds everyone in good health and spirits. Without further ado, let me dive into today’s Bug: User Enumeration Vulnerability.
At first glance, user enumeration may seem like a minor issue, often marked as “informative” on platforms like HackerOne or Bugcrowd. However, the situation I encountered was distinct, as it occurred on a self-hosted platform, which added weight to the findings.
Note: I’ll refer to the target as gaza.com
The application has a search feature enabling users to find others. Initially, I noticed that by entering email addresses, I could enumerate user accounts. At first, I assumed this was intended functionality and dismissed it as unworthy of reporting. A few days later, I revisited the platform and tested the search functionality again. This time, I explored it more thoroughly.
Summary of the Report:
The search functionality on the site leaks usernames associated with valid email addresses. This allows attackers to enumerate user accounts and confirm the existence of specific email addresses in the system. Here’s how it works:
When an email exists in the system, the search feature confirms its validity by displaying usernames associated with the email.Searching by domain (e.g., @yahoo.com, @palestine.com) lists all users using the specified email domain.An attacker can modify the search patterns (e.g., l@gmail.com, lu@gmail.com, luc@gmail.com, etc.) to narrow down results to individual users.Steps to Reproduce:
Navigate to the search bar designed for finding friends.Input an email pattern, e.g., @palestine.com.Observe that the application displays users with email addresses from that domain.4. Refine the search using partial email prefixes (e.g., l@gmail.com, lu@gmail.com, luc@gmail.com, etc.) to enumerate specific users.
5. Using this method, I discovered two valid users (e.g., redacted@gmail.com).
Impact:
Attackers can use this feature to enumerate and collect usernames and their associated email addresses.The information can be leveraged for:Targeted phishing attacksSocial engineeringBrute force attacksInitially, I was unsure whether this was worth reporting, but I submitted it nonetheless, trusting in Allah’s plans. To my surprise, the program rated the issue as Medium severity, marking my first Medium-level report. Alhamdulillah!
The application’s rate-limiting mechanism can be bypassed by rotating the IP address without being effectively restricted by the rate limit.
Key Takeaway:
Always report what you suspect might be an issue, even if you’re uncertain. What seems like an intended feature could have significant unintended consequences.
I appreciate the opportunity to share this with you all. Allah is indeed the best of planners.
For any suggestions or Correction, Kindly reach out to me:
Twitter — callgh0st
The Zionists have no right to the land of Palestine. There is no place for them on the land of Palestine.
Bengali (Bangladesh) · 
English (United States) ·