Community Security - Identifying Information

(Pete Mallam) #1

I’ve literally just come across this as I forgot my password, but assuming that a user has the same email registered for their Mondo account as they do for the Community it is giving away a little too much information.

I would expect you to have an identical process if the email exists or not, with a “If your email matches one on file we will have sent you a reset link” type message regardless.

(Daniel Chatfield) #2

I’m a Security Engineer at Mondo.

The risk you are describing is called user enumeration. If the knowledge that a given user has an account could be damaging to that person (e.g. on a pornography website) then user enumeration should be mitigated in the way you describe (not distinguishing between there being an account or not).

However, for sites that do not have this risk, it is no longer considered best practice to make such a distinction. If you try and log in to Google or Facebook you’ll notice that they both distinguish between the email existing or not.

The only semi-practical attack is a targeted phishing attack. In reality, a phisher usually does not care whether a victim has an account with the service or not - they cast a wide net and hope to catch some users. We (as in the Mondo service, not the community forums) mitigate this by not having passwords to phish in the first place.

So, whilst the security benefits are small, the usability benefits of making a distinction are clear - it can get very frustrating if you can’t remember which email you used and you don’t know whether the email hasn’t come through yet or you typed the wrong one.

This is a bit tangential but at some point I’d like to write a blog post on our long term plans for authentication. We want to make the process as smooth as we can for 99% of people whilst keeping your account secure.


(James Billingham) #3

Back when Cuvva still had passwords (which we don’t any more), we always sent an email regardless. Then the email would either contain a password reset link, or would let you know that there is no account against the email address.

I think that’s probably a decent middle-ground for this type of case. It also resolves timing attack issues, in case your system sends emails synchronously for some reason.

(Pete Mallam) #4

Hi Daniel.

I understand the risks and implications which is why I raise the point. As a social network Facebook and Google work on the premise that everyone has an account and your email is the key to people connecting to your social circle.

Mondo isn’t a social network.

In the assumption that people who sign up for the service will use the same email when signing into the community forum, or even a high enough percentage of them, you run the risk of providing information which can be used by someone for nasty purposes. Yes, one vector is spear phishing, but you are giving far too much information with regards to identity theft and attacks on or via other services. As a bank I would hope that this is taken seriously.

The industry I work in is anti malware, even we try to make it as hard as possible to ascertain our user base.

(Adam Williams) #5

I see a lot of sites taking this approach where they have this super vague password reset page that gives away no information about whether the email exists in the system or not…

But they then let the cat out of the bag by disallowing registrations by new users that use the same email as an existing user. Other than incredibly restrictive registration rate limits (which would presumably be bypassable anyway), I can’t think of a way to easily defend against this if you want users to use unique email addresses, but perhaps I’m missing something.

Ultimately it seems like a lot of effort for little gain, as you’ve mentioned above.

(Adam Williams) #7

Interesting idea! Not something I’d thought about before.

I feel like I’d get slightly annoyed if I was a legitimate user and had forgotten I’d signed up, though - but maybe it could give a quick password reset link along with the “Someone tried to register” message.