Email address disclosure
OWASP 2013-A6 OWASP 2017-A3 OWASP PC-C7 CAPEC-118 CWE-200 ISO27001-A.9.4.1 WASC-13 WSTG-IDNT-04
An E-mail address is used to identify an E-mail box. Some servers disclose the email addresses registered within the application. The attacker attempt can exploit this vulnerability:-
- Spam email: Spam E-mail (a.k.a junk mail) that includes mail from phishing websites and sites with malware. The malware in these E-mails might be thorough script links or any other executable links. It can also be a part of any attachments with the mail. Spam emails are collected by spammers. The spammers collect email addresses and sell it.
- Brute force attacks: Brute-force attack is a trial and error attack to obtain PIN numbers and passwords of users. Brute force attacks are executed using brute force attack software. This software generates many sets of random numbers and matches the number with the pin. This process continues until the password gets a match.
- Phishing: Phishing is a fraudulent method to obtain sensitive information from the users. The attacker phishes data by spamming users. The collected data through phishing is sold off to other companies.
- Unauthorised access attempts: Unauthorised access is an attacker getting access to a user’s account.
Using this vulnerability, an attacker can:-
- make them susceptible to Spamming.
- gain access to all the E-mail addresses in the server, the attacker can use Brute Force Attack for the passwords.
- plant phishing attacks using the E-Mail addresses.
Mitigation / Precaution
Beagle recommends the following fixes:-
- Use generic E-mail addresses like contact@ or info@ for general communications.
- Remove user/people-specific email addresses from the website.
- Try to use submission forms.