Many mobile applications have authentication mechanisms. Users need to prove identity to gain access to app functionality. This verification is vital for a variety of reason, like an application may contain users’ personal information, or provide a paid subscription to an online service. Users are shown error messages when incorrect login information is submitted. These messages may reveal information about database values which may help an attacker. Let us have an example to see how an attacker may exploit the vulnerability.
An attacker wants to gain access to a mobile application. The application asks for username and password, and the attacker has neither. The only way possible would be to formulate all the usernames and passwords. Once done, try combinations of usernames with each of the passwords until a pair gets accepted. This act is called user enumeration, and this modus operandi is known as a brute-force attack. But, whenever incorrect credentials are entered, the application specifies in the error message if the username, or the password, or both the values are incorrect. Whenever the attacker gets a message mentioning that the password is wrong, he gets a hint that the username is valid, and vice-versa. In case the application specifies that both the values are invalid, the attacker removes both them from the lists of possible usernames and passwords. This way, the number of probable combinations that the attacker has to try reduces. That reduces the time and effort the attacker needs to carry out the attack.
The solution is to curate the application’s error messages and ensure that no hint is given to users about the valid credentials. The messages shall mention no details, but be generic, like ‘Invalid Credentials’, ‘Please enter both the credentials correctly’, etc.