Bug #22304
[External Audit Findings][MLEB, iOS, Android] User Enumeration through Error Messages
Status: | Closed | Start date: | 29 July 2025 | |
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | yap chekying | % Done: | 100% | |
Category: | - | Spent time: | - | |
Target version: | - |
Description
Issue:
Error messages in an application can provide valid and invalid username information.
This information can potentially provide attackers with information for further attacks. This information allows attackers to perform brute-force attacks on the application.
Recommendation from pentester:
It is recommended to provide the same information in the error message so that it does not display whether the username is valid or not.
Please refer to attached excel for details.
History
#1 Updated by Tan Hi Ann about 1 month ago
- Status changed from New to Resolved
RC: Error messages provides valid and invalid username information.
Solution: Modify error message to generic message
Note: Awaiting Android FE to implement changes
#2 Updated by Tan Hi Ann about 1 month ago
- Assignee changed from Tan Hi Ann to Hao Ter Tai
#3 Updated by Hao Ter Tai about 1 month ago
- Assignee changed from Hao Ter Tai to He Xi Yeo
238,053
31/7/2025 [External Audit Findings][MLEB] User Enumeration through Error Messages
Issue:
Error messages in an application can provide valid and invalid username information.
This information can potentially provide attackers with information for further attacks. This information allows attackers to perform brute-force attacks on the application.
Solution:
FE use BE’s status message as error message instead of hardcode error message
#4 Updated by He Xi Yeo about 1 month ago
- Assignee changed from He Xi Yeo to yap chekying
- % Done changed from 0 to 100
#5 Updated by yap chekying about 1 month ago
- File RE OCBC Business Mobile app Audit Findings - July 2025.msg added
- File WhatsApp Image 2025-08-06 at 11.04.36 (3).jpeg added
- File WhatsApp Image 2025-08-06 at 11.04.36 (2).jpeg added
- File WhatsApp Image 2025-08-06 at 11.04.36 (1).jpeg added
- File WhatsApp Image 2025-08-06 at 11.04.36.jpeg added
- File WhatsApp Image 2025-08-06 at 11.04.35 (1).jpeg added
- File WhatsApp Image 2025-08-06 at 11.04.35.jpeg added
- Status changed from Resolved to Pending UAT
#6 Updated by yap chekying about 1 month ago
- Priority changed from Immediate to Normal
#7 Updated by yap chekying about 1 month ago
- Subject changed from [External Audit Findings][MLEB] User Enumeration through Error Messages to [External Audit Findings][MLEB, iOS, Android] User Enumeration through Error Messages
#8 Updated by yap chekying about 1 month ago
- Status changed from Pending UAT to Pending PROD
#9 Updated by yap chekying 26 days ago
- File New wording 1.png added
- File New wording 2.png added
- File New wording 3.png added
- File New wording 4.png added
OCBC requested to change new wording for error message s0014
#10 Updated by yap chekying 13 days ago
- Status changed from Pending PROD to Closed
Released to production