General Information

Credentials Enumeration in Password Recovery

Variants:
Direct 

Also Known As:
Email Enumeration in Password Recovery

Vector Type:
Attack

Relevance:
Generic

Layer:
Application-Level

Platforms:
Any

Target Type:
Application

Affected Mechanisms:
Password Recovery, Information Disclosure Prevention

Invented In:
01/01/1999

Added In:
21/12/2014


Vector Operation Method:
Attackers can abuse password recovery mechanisms that reveal the validity of credentials such as usernames and emails, in order to reduce the time required for other credential enumeration, while focusing on identifying usernames or emails first, and than focusing on the password - as opposed to enumerating credential combinations.


Direct Variant:

Username Enumeration in Password Recovery

Also Known As:
Credentials Enumeration in Password Recovery

Typical Severity:
Medium

Learn More: