Entrinsik Informer Username Enumeration Vulnerability

A username enumeration vulnerability has been identified in Entrinsik Informer version 5.10.1. This vulnerability allows malicious users to enumerate valid usernames by entering an OTP code and a new password, then analyzing the application's responses. The vulnerability arises because the application provides different error messages based on the validity of the username, which can be exploited to confirm the existence of user accounts.

Impact

Exploitation of this vulnerability allows for username enumeration, which can facilitate targeted attacks such as password spraying.

Reproduction

To reproduce this vulnerability, access the login portal of Entrinsik Informer 5.10.1. Initiate the password reset process by entering a username and requesting a reset link. After receiving the prompt to enter a code, any code can be submitted, followed by a new password. The application will respond with an error indicating whether the username is valid or not, based on the correctness of the code entered. This response can be automated by sending requests to the '/api/change-password' endpoint and comparing the error codes received.

Remediation

To address this vulnerability, modify the application's response to password reset requests to be generic and not disclose whether a username is valid. For example, the application could state that an email has been sent with password reset instructions, regardless of the username's validity. Similarly, login responses should be standardized to avoid revealing whether a username exists, such as by stating 'Invalid credentials.'