Email enumeration via reset password functionality in pixelfed/pixelfed
Valid
Reported on
Jan 18th 2023
Description
User enumeration is when a malicious actor can use brute-force techniques to either guess or confirm valid users in a system. The malicious actor is looking for differences in the server's response based on the validity of submitted credentials. The differences can be inside the response body, response headers or sometimes, in the response delay.
Proof of Concept
- Go to
/password/reset - Enter the following two emails and check the difference of the responses:
- Registered email:
<input id="email" type="email" class="form-control" name="email" placeholder="E-Mail Address" value="" required>
- Not registered email:
<input id="email" type="email" class="form-control" name="email" placeholder="E-Mail Address" value="xxx@local" required>
Notice that not registered email is in the value attribute.
Impact
User and email enumeration allows an attacker to find valid usernames/emails on the victim application. It can use this information to do more advanced attacks like bruteforcing passwords or phishing attemps.
We are processing your report and will contact the
pixelfed
team within 24 hours.
2 months ago
We have contacted a member of the
pixelfed
team and are waiting to hear back
2 months ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
The researcher's credibility has increased: +7
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on
Feb 18th 2023
to join this conversation