Bug #22304

[External Audit Findings][MLEB, iOS, Android] User Enumeration through Error Messages

Added by yap chekying 2 months ago. Updated about 1 month ago.

Status:ClosedStart date:29 July 2025
Priority:NormalDue date:
Assignee:yap chekying% Done:

100%

Category:-Spent time:-
Target version:-

Description

Issue:
Error messages in an application can provide valid and invalid username information.
This information can potentially provide attackers with information for further attacks. This information allows attackers to perform brute-force attacks on the application.

Recommendation from pentester:
It is recommended to provide the same information in the error message so that it does not display whether the username is valid or not.

Please refer to attached excel for details.

Copy of Audit Findings - Silver lake - ver2.xlsx (5.15 MB) yap chekying, 29 July 2025 10:10 AM

RE OCBC Business Mobile app Audit Findings - July 2025.msg (364 KB) yap chekying, 06 August 2025 11:03 AM

WhatsApp Image 2025-08-06 at 11.04.36 (2).jpeg (53.2 KB) yap chekying, 06 August 2025 11:05 AM

WhatsApp Image 2025-08-06 at 11.04.36 (3).jpeg (53.7 KB) yap chekying, 06 August 2025 11:05 AM

WhatsApp Image 2025-08-06 at 11.04.36 (1).jpeg (45.3 KB) yap chekying, 06 August 2025 11:05 AM

WhatsApp Image 2025-08-06 at 11.04.36.jpeg (56 KB) yap chekying, 06 August 2025 11:05 AM

WhatsApp Image 2025-08-06 at 11.04.35.jpeg (64.3 KB) yap chekying, 06 August 2025 11:05 AM

WhatsApp Image 2025-08-06 at 11.04.35 (1).jpeg (63.7 KB) yap chekying, 06 August 2025 11:05 AM

New wording 1.png (156 KB) yap chekying, 13 August 2025 11:49 AM

New wording 2.png (166 KB) yap chekying, 13 August 2025 11:49 AM

New wording 4.png (117 KB) yap chekying, 13 August 2025 11:49 AM

New wording 3.png (148 KB) yap chekying, 13 August 2025 11:49 AM

History

#1 Updated by Tan Hi Ann 2 months ago

  • Status changed from New to Resolved

RC: Error messages provides valid and invalid username information.

Solution: Modify error message to generic message

Note: Awaiting Android FE to implement changes

#2 Updated by Tan Hi Ann 2 months ago

  • Assignee changed from Tan Hi Ann to Hao Ter Tai

#3 Updated by Hao Ter Tai 2 months ago

  • Assignee changed from Hao Ter Tai to He Xi Yeo

238,053
31/7/2025 [External Audit Findings][MLEB] User Enumeration through Error Messages
Issue:
Error messages in an application can provide valid and invalid username information.
This information can potentially provide attackers with information for further attacks. This information allows attackers to perform brute-force attacks on the application.

Solution:
FE use BE’s status message as error message instead of hardcode error message

#4 Updated by He Xi Yeo 2 months ago

  • Assignee changed from He Xi Yeo to yap chekying
  • % Done changed from 0 to 100

#6 Updated by yap chekying about 2 months ago

  • Priority changed from Immediate to Normal

#7 Updated by yap chekying about 2 months ago

  • Subject changed from [External Audit Findings][MLEB] User Enumeration through Error Messages to [External Audit Findings][MLEB, iOS, Android] User Enumeration through Error Messages

#8 Updated by yap chekying about 2 months ago

  • Status changed from Pending UAT to Pending PROD

#9 Updated by yap chekying about 2 months ago

OCBC requested to change new wording for error message s0014

#10 Updated by yap chekying about 1 month ago

  • Status changed from Pending PROD to Closed

Released to production

Also available in: Atom PDF