Is it secure to have an "email no longer available" feature on your registration form?
A way to implement the availability check without giving any feedback to potential attackers is to always send an email to the address used for the registration. What the content of the email could look like:
- "An account for [email protected] [with username xy] was just registered at $site. Click here to confirm."
- "Somebody tried to register an account for [email protected] [with username xy] at $site, however this account already exist. If you forgot your password click here. If did not initiate the registration please disregard this email."
This way, only the real owner of the email address will be able to check whether the address has already been used to sign up for the service. This approach is for example used by Ubuntu One.
It does leak information on what email addresses have already been used, but this is only really an issue if an attacker can rapidly check through possible email addresses.
The simple solution is:
- only allow a small number of attempts or requests from a particular IP in a session
This way a valid customer can still try a couple if their initial choice is unavailable, but an attacker attempting to enumerate email addresses will have start new sessions.
No, this is a user enumeration vulnerability.
As an attacker if I can use your login or forgotten password page to narrow my list from 10000 targets to 1000 targets, I will.
The best implementation to solve this I have seen is that both the sign up and the forgotten password forms are a multistep process (exactly the same back-end/process after the initial form).
The form starts with a single field asking for email address. The user enters [email protected]
and then clicks submit. Then they are displayed the same page asking them to check their email account.
If the user is already registered, they get an email containing a password reset link with a random token that expires in a few hours.
If the user is not registered, they get an email containing a registration link with a random token so they can continue the sign-up process. As a bonus, you've already validated their email address for when they later forget their password!
No-one that does not have access to the [email protected]
email account can determine whether the user is registered or not.
Check out the example on Troy Hunt's blog post on password resets and the username enumeration vulnerability on alotporn.com
for a good example of how important it is to meet the user's expectations of privacy.