Langgenius Dify Web User Enumeration Vulnerability

A user enumeration vulnerability has been identified in Langgenius Dify Web version 1.6.0. The issue arises from the authentication mechanism, which reveals the existence of user accounts by providing different error messages for non-existent and existing accounts. When a login or registration attempt is made with a non-existent username or email, the system responds with 'account not found.' In contrast, if the username or email is valid but the password is incorrect, a different error message is issued. This inconsistency allows attackers to enumerate valid user accounts by analyzing the error responses, potentially leading to targeted social engineering, brute force, or credential stuffing attacks.

Impact

This vulnerability enables attackers to discover valid user accounts, facilitating targeted social engineering, brute force, or credential stuffing attacks.

Reproduction

To reproduce this vulnerability, send a login or registration request with a non-existent username or email. The response will indicate that the account was not found. Next, send a request with a valid username or email but an incorrect password. The system will respond with a different error message, such as 'incorrect password.' This difference in responses can be used to confirm the existence of a user account.

Remediation

This vulnerability has been fixed in Langgenius Dify Web version 1.9.0.