User enumeration Vulnerability

[WebBreacher]

The URL for an unauthenticated user to browse through the list of users of the system is https://infosecmentors.net/user/# (where #=1-332 as of now). A person could quickly enumerate all the people that have signed up in the system, get their names, their profile picture, and their mentoring wishes/offers.

Not sure if the users know all this information about themselves is available pre-authentication. Access to this data should either require authentication or use a non-sequential value for each user id (example: https://infosecmentors.net/user/jhgdfw92hh).

[securingdev]

Hey Micah! Thanks for taking a look at the project 😄 👍

Although the "ID Number" that can be enumerated through allows for some form of scraping attack, I wouldn't necessarily equate it to "User Enumeration" (usernames are not tied to the ID Number). Also, there are no private profiles on the platform - the point is to actually be displayed publicly as available to be a mentor.

I'm unsure at this point if it merits overhauling the mechanism(s) used to browse through users manually or not, given the intentions and nature of the page itself - but still, I appreciate your having a look at it :blush:

P.S. I really enjoyed your talk at BSides NOVA last year! 🎉

[WebBreacher]

Oh...I forgot to thank you for creating this wonderful project!!!!!

And you are correct. I misspoke about the user enumeration. Unfortunately, that happens when you sign up for a free account. By giving a valid email, I gain access to the authenticated pages that contain (at least on most user's pages) their email addresses in the HTML source code of the page (shown below). Since email addresses are used for user names, this would be enumeration and since the barrier to become "authenticated" is a valid email address (and the site accepts https://10minutemail.com and other disaposable email addresses), a person could create an account using a disposable email account, verify it, log in, and now scrape a good amount of info about every user.

Again, thanks for the project and glad you liked the talk!

[securingdev]

You make a fair point @WebBreacher regarding the Email Addresses. I think that addressing the Twitter profile issue is something I am willing to forego fixing, as these are otherwise publicly available.

With that said, I believe the checks I've added with #34 should resolve the issue. I intend to hot swap these fixes into the production environment this weekend after I run some tests locally. Thanks for contributing your feedback, and for working to improve the resiliency of this project! :blush: :+1:

I will leave this issue ticket open until I've confirmed the fix works as intended, and added the code to production. In the mean time, Drop me a DM on Twitter with your User ID and/or registered email address for the site - I'll add the Contributor, InfoSec Mentors Project title to your profile 😉

[securingdev]

Following-up on this. I didn't test it this weekend, but will be doing so either tonight or tomorrow and pushing to production accordingly (heck, I may just live dangerously and test in production :wink:).

Based on the merged changes, does my "fix" for the email issue seem amenable @WebBreacher?

[WebBreacher]

I honestly have not had time to examine code or test it. Happy to check it once it is applied if you'd like.

On Mon, Jan 29, 2018 at 4:00 PM, Keith Hoodlet notifications@github.com wrote:

Following-up on this. I didn't test it this weekend, but will be doing so either tonight or tomorrow and pushing to production accordingly (heck, I may just live dangerously and test in production 😉).

Based on the merged changes, does my "fix" for the email issue seem amenable @WebBreacher https://github.com/webbreacher?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/andMYhacks/infosec_mentors_project/issues/33#issuecomment-361384561, or mute the thread https://github.com/notifications/unsubscribe-auth/ACP_NeL0Bpwob4uvxA0E_vDUyPyFccYdks5tPjFVgaJpZM4Rtur0 .

[securingdev]

So it appears the fix I pushed in #34 didn't address the issue in the way I intended. I will be re-working this patch.

[securingdev]

Alright, I believe I've addressed the this issue in #35 which I've now tested. This should remove both the "public email" field from a user's profile, as well as remove the email address that (somehow) made it into this user's Gravatar profile image field.

Would you mind validating this before I close this issue, @WebBreacher?

[WebBreacher]

I just checked the live version of the site and don't see the email addresses! Thank you for fixing this so quickly too!

[securingdev]

Thanks for confirming the fix is working as intended @WebBreacher - and thanks for your support of the project 😄 👍