Credentials Enumeration in Password Recovery
Variants:
Direct
Also Known As:
Email Enumeration in Password Recovery
Vector Type:
Attack
Relevance:
Generic
Layer:
Application-Level
Platforms:
Any
Target Type:
Application
Affected Mechanisms:
Password Recovery, Information Disclosure Prevention
Invented In:
01/01/1999
Added In:
21/12/2014
Vector Operation Method:
Attackers can abuse password recovery mechanisms that reveal the validity of credentials such as usernames and emails, in order to reduce the time required for other credential enumeration, while focusing on identifying usernames or emails first, and than focusing on the password - as opposed to enumerating credential combinations.
