01 Mar, 2023

Information Leakage Through Error Messages

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

Information leakage through error messages refers to the inadvertent disclosure of sensitive information to an unauthorized entity through error messages generated by computer systems or applications. This can occur when error messages contain more information than necessary, or when they reveal information that should be kept confidential.

In the context of software applications, information leakage can occur when sensitive data is transmitted or stored in an insecure manner, or when error messages or other application feedback contain information that should not be disclosed to users. 

In the context of networks, information leakage can occur when sensitive data is transmitted over an unsecured network or when network traffic is intercepted by unauthorized individuals or systems.

For example, imagine you’re trying to log in to your email account with an incorrect password. The system may show an error message saying “Incorrect password”. But if the error message also shows your email address or username, a hacker can use that information to try and guess your password and gain access to your email account.

Another example could be a web application that generates an error message with detailed information about the software and configuration of the server. This information can be used by an attacker to find vulnerabilities or weaknesses to exploit.

How are error messages generated?

Error messages are generated by computer systems or applications when an error or unexpected condition occurs. These errors can be caused by a variety of factors, including invalid user input, system failures, or software bugs.

When an error is detected, the system or application will typically generate an error message that provides information about the error and suggests possible ways to resolve it. The message is usually displayed to the user, either in the form of a pop-up window, a dialog box, or a message displayed on the screen.

The content and format of error messages can vary depending on the system or application, but they typically include information such as the type of error that occurred, a description of the error, and a suggested solution or course of action. Some error messages may also include additional information, such as error codes, stack traces, or debugging information, which can be used by developers or system administrators to diagnose and resolve the underlying issue.

What information in error messages can be useful to a hacker? 

Error messages can potentially provide useful information to attackers, particularly if the messages contain sensitive information that should not be disclosed.

Usernames or email addresses. Error messages that include specific information about a user’s account, such as their username or email address, can be used by an attacker attempting to guess the user’s password or gain unauthorized access to their account. If an error message includes a username or email address, an attacker can use this information to launch a brute-force attack, where they try to guess the user’s password by trying many different combinations until they find the correct one.

In addition to allowing attackers to guess passwords, disclosing usernames or email addresses can also make it easier for attackers to target specific users or organizations. Attackers can use this information to tailor phishing attacks or social engineering attacks that are specifically designed to trick the user into providing additional information or credentials.

System configuration details. Error messages that provide detailed information about the underlying software or configuration of a system can be exploited by attackers to identify potential vulnerabilities or weaknesses to exploit.

For example, if an error message provides specific details about the software or configuration of a system, an attacker can use that information to identify known vulnerabilities or weaknesses in the system. They can then develop more targeted attacks that exploit those vulnerabilities or weaknesses, potentially leading to unauthorized access or other malicious activities.

Additionally, system configuration details can also be used to fingerprint a system, which means that attackers can use the information to identify the specific software and hardware components used by the system. This information can be used to develop more targeted attacks that are tailored to the specific components of the system, making it more difficult to detect and defend against.

Stack traces or debugging information. Stack traces and debugging information can pose a risk when included in error messages, as they can provide attackers with valuable information about the internal workings of a system or application. Stack traces provide a detailed record of the sequence of function calls that led to an error, while debugging information can include details about the system’s memory layout, variable values, and other internal state information.

Attackers can use this information to identify potential vulnerabilities or weaknesses in the system or application, and to develop more targeted attacks. For example, they may be able to use information from a stack trace to identify specific functions or modules that are vulnerable to attack, or to infer details about the system’s underlying architecture.

Specific error codes. Error codes that are associated with known vulnerabilities or weaknesses can be used by attackers to identify potential targets for attack.

For example, if an error message includes an error code that is associated with a known vulnerability in a specific software application, an attacker can use this information to identify systems that are vulnerable to the attack and attempt to exploit the vulnerability.

To mitigate this risk, error messages should be designed to be generic and not include specific error codes that could be associated with known vulnerabilities or weaknesses. Additionally, error messages should not provide any additional information that could be used to identify the underlying system or application, such as version numbers or configuration details. This can make it more difficult for attackers to identify potential targets and develop targeted attacks.

How to trigger error messages?

Error messages can be triggered in a variety of ways, depending on the system or application in question. Here are a few common ways that error messages can be triggered

Invalid user input. In many cases, error messages are triggered when a user enters invalid or incorrect information into a form or field. For example, if a user tries to submit a form with an invalid email address, the system may generate an error message indicating that the email address is not valid.

  1. SQL injection: One common type of invalid user input vulnerability is SQL injection. Attackers can exploit this vulnerability by submitting SQL queries as user input, causing the system to execute the query and potentially exposing sensitive data. Example payload: ‘ OR 1=1; –‘

  2. Cross-site scripting (XSS): Another type of invalid user input vulnerability is cross-site scripting, in which attackers inject malicious scripts into a website by submitting them as user input. Example payload: <script>alert(‘XSS Attack!’);</script>

  3. Command injection: Command injection vulnerabilities allow attackers to execute arbitrary commands on the underlying system by submitting them as user input. Example payload: ; ls -la

  4. Path traversal: Path traversal vulnerabilities allow attackers to access files or directories outside of the intended scope by manipulating input that specifies a file path. Example payload: ../../../etc/passwd

System failures. Error messages can also be triggered by system failures, such as hardware or network issues. For example, if a network connection is lost while a user is trying to access a website, the system may generate an error message indicating that the site is not available.

Software bugs. Error messages can also be triggered by software bugs or programming errors. For example, if a software application encounters an unexpected condition or error, it may generate an error message indicating that an error has occurred.

Security-related issues. Error messages can also be triggered by security-related issues, such as when a user tries to access a resource for which they do not have sufficient permissions. In this case, the system may generate an error message indicating that the user is not authorized to access the resource.

Real world examples 

In 2016, a vulnerability was discovered in the login system of the popular dating app Tinder. The app displayed an error message indicating whether a particular email address was already registered with the service. This made it possible for attackers to use a brute-force attack to guess valid email addresses and gain access to user accounts.

In 2017, security researchers discovered that the website of a major UK retailer was leaking sensitive customer information through error messages. The website’s registration form contained a field for the user’s email address, and if the email address was already in use, the website displayed an error message that included the first and last name of the user associated with that email address.

In 2018, a vulnerability was discovered in the mobile app of a major hotel chain. The app displayed error messages containing sensitive user information, including email addresses, phone numbers, and booking confirmation numbers. This information could be used by attackers to access user accounts and view or modify bookings.

In 2019, security researchers discovered that the login form of a popular password manager was leaking sensitive information through error messages. The form would display an error message if a user entered an incorrect email address or password, but the error message also disclosed whether the email address was registered with the service. This made it possible for attackers to use a brute-force attack to guess valid email addresses and gain access to user accounts.

In 2020, a vulnerability was discovered in the website of a major US government agency. The website displayed an error message indicating whether a particular username existed in the system. This made it possible for attackers to use a brute-force attack to guess valid usernames and potentially gain access to sensitive government data.

In 2015, a vulnerability was discovered in the login system of a popular social media platform. The platform displayed an error message indicating whether a particular phone number was already registered with the service. This made it possible for attackers to use a brute-force attack to guess valid phone numbers and gain access to user accounts.

In 2016, a vulnerability was discovered in the website of a major US healthcare provider. The website displayed an error message indicating whether a particular email address was associated with a valid account. This made it possible for attackers to use a brute-force attack to guess valid email addresses and gain access to sensitive healthcare data.

In 2017, a vulnerability was discovered in the website of a major US retailer. The website’s password reset function displayed an error message indicating whether a particular email address was associated with a valid account. This made it possible for attackers to use a brute-force attack to guess valid email addresses and reset user passwords.

TOP CVE references for Information leakage through error messages 

Here are some CVE (Common Vulnerabilities and Exposures) references for information leakage through error messages:

CVE-2019-11687 – This vulnerability was found in the Huawei P20 Pro smartphone. The device’s login screen displayed an error message indicating whether a particular username existed in the system. This allowed attackers to use a brute-force attack to guess valid usernames and potentially gain access to the device.

CVE-2019-13914 – This vulnerability was found in the Login by WPMU DEV plugin for WordPress. The plugin displayed error messages that disclosed whether a particular email address was associated with a valid user account. This allowed attackers to use a brute-force attack to guess valid email addresses and gain access to user accounts.

CVE-2020-9548 – This vulnerability was found in the Apache Tomcat web server. The server’s error pages contained sensitive information, including the server’s version number and the name and location of certain files on the server. This information could be used by attackers to target known vulnerabilities in the server.

CVE-2021-31799 – This vulnerability was found in the Contact Form 7 plugin for WordPress. The plugin displayed error messages that contained sensitive information, including the name and location of certain files on the server. This information could be used by attackers to target known vulnerabilities in the server.

CVE-2021-33615 – This vulnerability was found in the WhatsApp messaging app. The app displayed an error message that disclosed the phone number associated with a particular account. This allowed attackers to use a brute-force attack to guess valid phone numbers and gain access to user accounts.

CVE-2021-31535 – This vulnerability was found in the Loginizer plugin for WordPress. The plugin displayed error messages that disclosed the username associated with a particular email address. This allowed attackers to use a brute-force attack to guess valid email addresses and gain access to user accounts.

CVE-2021-28031 – This vulnerability was found in the MantisBT bug tracking system. The system displayed error messages that contained sensitive information, including the names and locations of certain files on the server. This information could be used by attackers to target known vulnerabilities in the system.

CVE-2021-28797 – This vulnerability was found in the Django web framework. The framework’s error pages contained sensitive information, including the names and locations of certain files on the server. This information could be used by attackers to target known vulnerabilities in the framework.

CVE-2021-3715 – This vulnerability was found in the OpenBSD operating system. The system’s login screen displayed an error message that disclosed the number of valid usernames on the system. This allowed attackers to use a brute-force attack to guess valid usernames and potentially gain access to the system.

CVE-2021-38034 – This vulnerability was found in the phpMyAdmin database management tool. The tool’s error pages contained sensitive information, including the names and locations of certain files on the server. This information could be used by attackers to target known vulnerabilities in the tool.

TOP CWE references for Information leakage through error messages 

CWE-209: Information Exposure Through an Error Message – This CWE is a general category for information leakage through error messages.

CWE-215: Information Exposure Through Debug Information – This CWE covers information leakage through debug information, which can be exposed through error messages or other sources.

CWE-216: Information Exposure Through Timing Discrepancy – This CWE covers information leakage that can be inferred from the timing of error messages or other system behavior.

CWE-217: Failure to Report Error Information – This CWE covers situations where error information is not reported, which can make it more difficult to diagnose and fix system problems.

CWE-530: Exposure of Backup File to an Unauthorized Control Sphere – This CWE covers situations where error messages or other system information reveal the location of backup files, which can be used by attackers to gain unauthorized access.

CWE-778: Insufficient Logging – This CWE covers situations where error messages or other system information is not logged, which can make it more difficult to identify and respond to security incidents.

How organizations can be protected from Information leakage through error messages

Use custom error messages: Rather than using default error messages provided by the system or application, create custom error messages that do not reveal sensitive information. This will make it more difficult for attackers to determine what vulnerabilities or weaknesses exist in your system.

Limit the amount of information displayed: Make sure that error messages only display the minimum amount of information necessary to help the user or administrator understand the problem. Avoid displaying detailed technical information that could be useful to an attacker.

Use access controls: Implement access controls that limit the amount of information that users or attackers can access. This will make it more difficult for attackers to gather information that could be used to exploit vulnerabilities in your system.

Perform security testing: Regularly perform security testing, such as vulnerability scanning or penetration testing, to identify and address any potential vulnerabilities in your system.

Keep your software up-to-date: Make sure that all software, including operating systems, applications, and plugins, are kept up-to-date with the latest security patches and updates. This will help to reduce the risk of known vulnerabilities being exploited.

Train your employees: Provide regular security training to your employees to help them understand the risks associated with information leakage through error messages and how to prevent it. This will help to ensure that everyone in your organization is aware of the importance of protecting sensitive information.

Conclusion 

Information leakage through error messages can pose a serious security risk for organizations and users. Attackers can use the information revealed in error messages to gain access to systems, steal sensitive data, or launch other attacks. To protect against this type of vulnerability, organizations should use custom error messages that do not reveal sensitive information, limit the amount of information displayed in error messages, and implement access controls to restrict the information that can be accessed by users or attackers. Regular security testing and employee training can also help to reduce the risk of information leakage through error messages. By taking these steps, organizations can improve the security of their systems and protect against potential data breaches and other cyberattacks.

Other Services

Ready to secure?

Let's get in touch