User Enumeration
The origins in me writing this blog post come from a tweet that I tweeted:
Now ordinarily I wouldn't be too worried about a user enumeration vulnerability on a site. It's certainly not the end of the world, but it should be something that one tries to address. This is after all a well known and common vulnerability that has been around for some time. It even forms a part of the Identification and Authentication Failures item of the current OWASP Top 10 (2021 list).
Information Disclosure
User (or account) enumeration can also be thought of as a form of information disclosure. And any information in the hands of an attacker is something that can help them further their cause. Take the example in my Tweet. Putting aside the fact that this vulnerability can be used to help brute force the password on an account. It could also be used for credential stuffing. This is a tactic where the attacker would take known username and password combinations, obtained from previous breaches, and attempt to use those to obtain access to their victim's account. And since we know that users are generally poor (the reason why is perhaps content for another blog sometime) when it comes to using unique passwords, this form of attack and can have a high degree of success for attackers. Now, hopefully, people using a password manager would at least have a unique password for this.
But the user enumeration could lead to another form of attack, phishing. The attacker has a known and valid username (or rather email address), so that can individually target these users with phishing attempts that would likely display some spoofed version of the LastPass page. Again this is where something like MFA is incredibly important, and one would hope that users have this enabled for their password manager. But my bet is that not all users will have this enabled (for different reasons).
Finally another tactic (and closely related to the one above), is that the attacker could potentially try identify which organisations likely use LastPass as their password manager. All the attacker would need to do is to attempt to "login" with a selection of corporate email addresses (let's face it, it's really not hard to work these out). Based off the fact a few have a valid account on the platform would likely indicate that they use it. And then the attacker perhaps could launch a wider phishing campaign against the organisation.
Now I'm not saying all the above is not impossible without this user enumeration, it is however significantly more difficult, and more importantly time consuming. Which could be enough to put any would be attacker.
Secure Systems Deserver Greater Scrutiny
As I said in my opening section, user enumeration is a well known vulnerability. It has been around for years now. It now is considered best practice to display a generic message on a login page to avoid user enumeration. An example would be something like:
The username and/or password entered are incorrect, please try again.
Rather than something like:
The username entered does not exist, please try again.
And as I said as well, ordinarily I wouldn't lose much sleep over such a vulnerability. However, a password manager is not an ordinary system. It literally contains ALL the keys to my accounts. So this is something that I would expect to follow as many best security practices as possible. If it doesn't, it does make me start to question what other things are not being done (or should be done). And this is why it's such a concern to myself, and others as well. For me personally, this is the biggest factor of having such as well known vulnerability in such a critical and sensitive security product.
Conclusion
User enumeration, generally, isn't such a big issue. However, as I've tried to show above it can help attackers to suddenly make it a worrying problem in some cases. And this is concerning given what systems are performing, as in this case a password manager. In closing we need to hold critical and sensitive security related systems to greater scrutiny. These are often the crown jewels for attackers, and if they do manage to get their hands on them, their victims are going to have a very difficult time.