Email Enumeration Vulnerability via Password Reset Functionality #79
Description
The password reset functionality in the application is vulnerable to email enumeration.
When a user submits an email address to the password reset endpoint, the application returns different responses depending on whether the email exists in the system.
An attacker can abuse this behavior to determine which email addresses are registered, enabling user enumeration. This information can later be leveraged for targeted phishing attacks, credential‑stuffing, or brute‑force attempts.
The issue occurs because the application does not provide a generic and consistent response for both valid and invalid email submissions.
Disclosure of registered user email addresses
Enables targeted phishing and social‑engineering attacks
Assists attackers in account takeover attempts
Violates secure authentication and privacy best practices
Steps to Reproduce
Navigate to the Forgot Password / Reset Password page.
Submit a registered email address.
Observe the application response (e.g., “Password reset email sent”).
Submit a non‑registered email address.
Observe a different response (e.g., “Email not found”).
Recommended Mitigation
Always return a generic response for password reset requests.
Avoid revealing account existence in UI messages or HTTP responses.
Implement rate‑limiting on password reset requests.
Log reset attempts internally without exposing details to the user.
References
OWASP Top 10 – Identification and Authentication Failures
https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/
OWASP Cheat Sheet – Authentication
https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html
OWASP Cheat Sheet – Forgot Password
https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html
CWE‑204: Observable Response Discrepancy
https://cwe.mitre.org/data/definitions/204.html