Username enumeration, or often times email enumeration as the two are interconnected in a lot of applications, is when a service’s functionality in some way or form discloses the usernames/emails of its userbase.
Due to not having an immediate impact on security posture, username enumeration can often be disregarded as a risk. However, there are certainly risks associated with it, especially when a username is also a user’s email address. Regarding the email addresses, the risk is phishing attacks with the knowledge of which page to target as an attacker would both know the email address and which service it is used on.
Excluding email addresses, usernames can be used in a multitude of ways, especially when combined with other vulnerabilities. The immediate attacks would rely on password attacks against login portals. However, other attacks may also exist, such as usernames being used with insufficient access controls to compromise accounts. Overall, username enumeration always provides benefit to an attacker. Even security assessment’s perspective, when usernames are obtained and other vulnerabilities exist on the system it leads to easier compromise where relevant.
For the majority of applications username enumeration is removed until the point of user registration. In such instances that user registration exists, it often comes with username enumeration that is often considered inevitable.
Whilst this is a challenging obstacle, there is an option that could be considered. If the username equals as a user’s email address, then when registering instead of providing an error message that discloses the existence of the email address, instead a message stating that confirmation has been sent to the email address is shown instead. In the instance that a user already exists, it should notify said user. Alternatively, if the user does not exist then the registration link would proceed as normal. This should prevent enumeration.
When the username is not same as the email address, it can become more complicated. Perhaps the solution would be to regenerate a username for the user instead of allowing creation, but this may impact customer satisfaction. Therefore, it is often more complicated to deal with this type of scenario. For this reason, using the email address as the username of a user tends to be a better option as it provides a reliable way to avoid username enumeration.
Lastly, it is important to mention that username enumeration can occur outside the login or registration portal, which focus is often emphasised on. However, it is also important to remember that username enumeration can occur in public API endpoints, unexpected error messages by the server or even due to insufficient access controls. Therefore, to truly eliminate username enumeration can become a challenge that requires thorough investigation. This can often pose a question of effort vs reward, yet in the long-term, removing username enumeration is something everyone should strive to achieve.
Below are a few ideas for implementing preventive mechanisms:
Entirely preventing username enumeration can be a challenge, yet successfully achieving this can slow down a lot of attacks, especially those that rely on having a victim’s username. Considering how useful usernames and email addresses have been to attackers, it will benefit any organisation to prevent or at least greatly minimise how easily this information can be gained by attackers.