Information leakage in many websites and job application portals

German version of this post

1. Summary

Many websites such as forums, dating sites, job application portals, newsletters or social networks require a user registration. This registration generally requires an email address and a freely choosable pseudonym as username. Most Internet users assume that only the chosen pseudonym is publicly visible while the email address is treated confidential by the site operator. Depending on the type of website it is important that the existence of an account is kept confidential since knowing that an account exists may lead to certain conclusions about the account owner. As an example, if a person has registered in a forum about a specific disease, it is likely that this person is affected by this disease. The problem presented here allows unauthorized third parties to find out whether there is an account for a specific email address. In case of online job application portals, the existence of an account typically means that the account owner has applied for a job. This may allow an employer to find out that one of his employees has confidentially applied for a job at another company.

2. Description of the problem

The main problem is that if a user tries to register with an email address or a username, which is already registered at the site, the user gets a corresponding error message in the browser. An unauthorized third party may try to register with the email address or username of the potential account owner. If this results in an error message, the attacker may conclude that the email address or username is already registered.

The email address is linked to a specific person and most employers know at least one private email addresses of their employees. The problem can obviously only reveal the existence of an account on a site such as a job application portal and no more detailed information about the account (such as the corresponding pseudonym to a given email address or the application submitted). However, the bare fact that an employee has applied for another job may already have negative consequences for the existing employment.

For some sites such as job application portals the username can also be linked to a specific person (especially for rare names and/or small industries), since many applicants choose an easily predictable username such as "First Name.Last Name" or a pseudonym which is also known to the current employer and expect the data to be treated confidential by the company they apply to. If this predictable username is registered in the job application form of another company, an employer may conclude that his employee applies for a job there.

Some websites don't require a username and use the email address and password for logging in. Some other sites assign a randomly chosen username for every registered user. Most of these sites reveal the existence of an account for an email address as well when trying to register again with the email address.

3. Distribution of problem for job application portals

I have checked the job application portals of some big companies by trying to register with the same username or email address twice. 27 of the 30 companies in the DAX index (which contains the biggest stock companies in Germany) are affected by the problem. The remaining 3 companies either don't provide an online job application portal or only allow direct applications without an account registration. This leads to the conclusion that the vast majority of companies running an online job application portal are affected by the problem. Some international companies such as IBM or Intel are affected as well.

4. Other problematic online accounts

The problem not only affects job application portals but also many other websites such as online shops, forums, newsletters, social networks or dating sites. The mere existence of an account in a forum may lead to problematic conclusions about the owner of the account. An employer may for instance check whether a female applicant is registered in a forum about pregnancy with the email address used for the application instead of asking whether she is pregnant (which is illegal to ask in some countries) and not employ her if there is an account. The registration in a forum or a newsletter about a sensitive topic such as employment rights, homosexuality, certain political opinions/activities, diseases (e.g. HIV) or psychical problems should also not be revealed to everyone who knows the user's email address. Most users expect that a forum only reveals the chosen pseudonym to the public and that the email address is treated confidential. So it may be problematic if everyone, who knows the email address, can figure out that someone has an account in a forum.

5. Possible use of vulnerability by cyber criminals

The existence of an account in a forum or vendor support site about specific hardware or software components can reveal some information about the hardware/software used by the account owner. This may allow an attacker to specifically exploit vulnerabilities in those components in a targeted attack.

Cyber criminals could also exploit this problem to increase the effectivity of their attacks. For instance, a phisher may choose to only send his phishing mails to email addresses which are actually registered at a site. An attacker may also verify that an account exists before trying to break into the account by brute-forcing the password (or the security question for resetting the password).

6. Confirmation emails

Some sites send a confirmation email when trying to register with a given email address. This confirmation mails allow users to find out that someone has tried to register with the user's email address on a site.

Some sites reveal the existence of an email address/username before actually submitting the registration form e.g. using Ajax requests to the server. In this case, no confirmation email is sent to the owner of the email address. Some other sites reveals the existence of an email address when submitting the registration form even if there is another error such as an empty or weak password, a duplicate username or required form fields left blank. In these cases the sites don't send any confirmation email but still reveal the existence of an account to a given email address.

When a confirmation mail is sent, most users will just ignore it since they haven't registered on the site and not take into account that this email may be the result of someone trying to reveal the user's accounts. Even if a user knows about the problem, it may still be impossible to find out who is responsible for the attack.

7. Mitigation for website operators

Website operators can take some technical measures to mitigate the risk for their users. Depending on the nature of the site it may be necessary to abandon the possibility for users to choose a username, because a given username may have already been taken, which will make the registration fail and thus reveal the existence of a given username. For sites which already publicly reveal the chosen names as part of the site functionality (such as forums or dating sites) and most users choose a pseudonym for the registration, a freely choosable username is obviously unproblematic. For other sites such as job application portals where a confidential treatment of all user data is commonly expected and many users choose their real name as username, it is probably necessary to abandon the possibility to register with a freely choosable username. The site may either create a randomly generated username or just use the user's email address instead of a username for logging in.

The same problem also applies for email addresses. Most sites show an error message (or a hint to use the existing account) when trying to register with an already registered email address. This problem can be solved by requiring the user to verify the email address by clicking on a link sent to the user via email. If the email address is already registered, the site doesn't need to tell the client browser about the existing account. The site may then send a reminder about the existing account instead of a verification link via email. This makes sure that only the owner of the email address can find out whether there is an account for his email address.

The website operator should also make sure that the password reset functionality and changing the email address of an existing account (which an attacker can easily register for this purpose) doesn't reveal to the client browser whether a given email address is already registered at the site.

The measures proposed here may lead to some extra effort and losses of comfort (no freely choosable username, requirement to verify email address) and increased support expenditures. So there is an obvious trade-off between usability and privacy. For some sites such as job application portals, dating sites or forums about sensitive topics it is obvious that privacy should have priority over usability and the existence of an account shouldn't be revealed to unauthorized third parties.

8. Mitigation options for users

Users may also protect their privacy by using secret email addresses/aliases for registering sensitive accounts. You can easily register a new account at a freemail provider of your choice for this. However, registering too many email accounts may be problematic since it requires users to remember all email addresses/passwords and regularly check all the accounts for incoming mails. As an alternative, some email providers such as hotmail allow setting up a limited number of alias addresses for one account, so that a user can check incoming emails to multiple addresses with one single email account. Many providers also allow appending a plus sign and a random string to an email address. You can for instance use john.doe+someRandomString@email.provider instead of john.doe@email.provider when doing a confidential application to a company. Since an attacker only knows the base address (john.doe@email.provider) and can't guess the random string you appended, he can't check whether you have already registered an account. However, you should keep in mind that you will need the full email address used for the registration for doing a password reset. So it may be a good idea to write down the email alias you used for the registration.

If you have already registered at a sensitive site with a non-secret email address, you can still change your email address to an alias. Most sites allow changing the email address in the profile settings. However, some sites still block the registration of a new account with the same email address thus revealing the fact that there had been an account. You may also inform the website operator if a site you know/are using is affected by the problem and the existence of an account should be kept strictly confidential based on the nature of the website.

If you want to hide the existence of an account, you should also choose a username which is non-guessable even for someone who knows you. This is obvious for community sites such as forums or dating sites with publicly visible nicknames. However, even for sites such as job application portals where you expect your data to be treated confidential, you should still choose a non-guessable username.