Email enumeration

The website in question reveals one or more email addresses in plain text.

What can happen?

Email enumeration itself has no direct security implications, but could result in an increase in spam emails received. An attacker can also use the knowledge of email addresses for spear phishing and similar attacks.

Remediation

The reserved example domains are automatically filtered out from this finding. When an example email is needed it is recommended to use one of those.

One way is to use a service that hides the email address behind a captcha, see: https://www.google.com/recaptcha/admin#mailhide.

Another easy solution that should minimise the amount of bots capable of capturing it would be to write it out with JavaScript, something like the following snippet of code:

<script>
    document.write(“example” + “@example” + “.com”);
</script>

If you do not consider this a security risk, mark it as an Accepted Risk. Not everyone sees spam as a direct problem, and that is okay. By marking it as an Accepted Risk we will no longer bother you about the issue in future reports.

Resources