web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Welcome to the Power Platform Communities
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Pages / User Enumeration Issue...
Power Pages
Unanswered

User Enumeration Issue: Failed PEN test

(0) ShareShare
ReportReport
Posted on by thegreatdanton1 23

Hi,

 

We recently had our PowerApps Portal penetration tested. One of the medium-severity findings in the report was that an attacker could enumerate user accounts via the forgot password functionality. The message displayed when an account doesn't exist in the database is "an account could not be found for the provided user id." An attacker could exploit this to identify valid user accounts registered in the application, potentially leading to brute-force attacks, social engineering, etc.

 

The PEN test recommendation is to implement a generic error message for the forgot password functionality.

Has anyone else encountered this issue during their Portal/Page PEN tests? If so, how did you address it? Is it a significant task to modify the forgot password flows?

 

Thanks

Categories:
Security
I have the same question (0)
  • Fubar Profile Picture
    Fubar 8,487 Super User 2026 Season 1 on at

    Yes, get all kinds of things from Penetration testing and some are ridiculous and would leave the end user not understanding what they need to do if implemented.  Depending on what they are usually all high/critical ones get implemented and medium low ones get assessed for practicality.

     

    I am assuming you are using local login, if so just remember Microsoft recommends using B2C.

     

    With that specific message, what do you think an attacker does if they get a generic message - do they stop or just keep pumping in email addresses until they don't get any error? (so not really any difference between generic and specific message in this case)

     

    Not sure if this is the one or not, or if it works still, you could try adding you own message by editing/adding the following Content Snippet 

    Account/PasswordReset/GenericError

     

  • thegreatdanton1 Profile Picture
    thegreatdanton1 23 on at

    Thank you. I think we have figured out a way to edit the password reset flow as well as the sign-in / sign-up flow, so we will try that in the hope of mitigating the PEN test items that came up.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Users!

Kudos to our 2025 Community Spotlight Honorees

Congratulations to our 2025 community superstars!

Congratulations to the April Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Pages

#1
11manish Profile Picture

11manish 56

#2
Valantis Profile Picture

Valantis 46

#3
rezarizvii Profile Picture

rezarizvii 35

Last 30 days Overall leaderboard

Featured topics

Solution to LinkedIn Authentication in Power Apps Portals
Welcome to the Power Pages forum!

Product updates

Microsoft Power Platform Community release plans