Email Disclosure
- CAPEC 118
- CWE 200
- WASC 13
- OWASP PC-C7
Email Disclosure occurs when web applications expose email addresses of users, administrators, or system contacts through publicly accessible pages, error messages, or downloadable files. This may happen inadvertently in user lists, contact pages, forum posts, or backup files. Exposed email addresses can be harvested by attackers for phishing, spam campaigns, social engineering, or targeted attacks. Email disclosure often results from poor content sanitization, overly verbose error messages, or misconfigured access controls.
Common patterns leading to email disclosure:
- Listing user or administrator emails in public directories, forums, or documentation.
- Including emails in error messages, logs, or backup files accessible via the web.
- Default application templates exposing contact or notification addresses.
- Misconfigured web applications allowing enumeration of registered emails.
Impacts:
- Phishing and Spam: Attackers can send deceptive emails to users or administrators.
- Social Engineering: Revealed email addresses facilitate targeted attacks.
- Account Compromise: Email information can be combined with other vulnerabilities to hijack accounts.
- Reputation Damage: Exposure of internal or customer emails can harm the organization’s credibility.
Detection indicators:
- Publicly visible email addresses in HTML content, documentation, or downloadable files.
- Error messages displaying email addresses.
- Security scanners identifying exposed emails or user enumeration endpoints.
Remediation
Mitigation focuses on protecting email information and controlling access:
Minimize Email Exposure
Avoid publishing email addresses publicly. Use contact forms instead of raw emails.Sanitize Output
Remove emails from error messages, logs, and publicly accessible files.Implement Anti-Enumeration Measures
Protect registration or user listing endpoints to prevent attackers from enumerating emails.Use Email Obfuscation
If public contact is necessary, consider obfuscating addresses in HTML to reduce automated harvesting.Review Backup and Documentation
Ensure emails are not included in public-facing backups, documentation, or help files.Monitor and Audit Access
Track access to resources that could expose email addresses.Security Testing
Include email harvesting and disclosure tests in penetration testing and automated scanning.
References
Search Vulnerability
You may also see
- Internal IP Address Disclosure
- Username Disclosure
- Application Disclosure
- Email Disclosure
- Long Redirect Response
- Error Message
- Stack Trace
- Internal Path
- Not Secure Cookie
- Not Http-Only Cookie
- Sensitive Data in Query String
- Sensitive Data over HTTP
- Server Error
- Source Code Disclosure
- Information Leakage
- Web Backdoor
- Database Connection String
- Autocomplete Enabled
- Undefined Content-Type Header
- Missing X-Frame-Options Header
- File Upload Input Detected
- Mixed Content
- Insecure iFrame
- XPath Injection
- Basic Authentication over HTTP
- Forbidden Resource
- Multiple Choices Enabled
- Apache MultiViews Enabled
- GraphQL Endpoint Detected