User email enumeration vulnerability on CSL Dualcom’s password recovery site

CSL Dualcom allow users to reset their password on http://passwordrecovery.csldual.com/  (yes, no HTTPS, again).

The password reset functionality allows an attacker to enumerate valid usernames. Genuine usernames have a different response to invalid usernames.

The forgotten username functionality also allows an attacker to check for valid email addresses.

Leaking valid usernames and email addresses like this is an incredibly bad idea. An attacker can send crafted emails directly users to reset their passwords on a server under his control, for example.

One thought on “User email enumeration vulnerability on CSL Dualcom’s password recovery site

  1. Permalink  ⋅ Reply

    Adam

    November 16, 2015 at 6:34pm

    With Google you can enumerate their email addresses as well: http://imgur.com/cPgSMlT
    But the difference between Google and CSL is that Google monitors IP addresses of the original user as well as the kind of computer that the original user uses and encourages 2-step verification.

Leave a Reply

Your email will not be published. Name and Email fields are required.