Project

General

Profile

Bug #7512

Auth Widget is leaking information about existing users

Added by Adrian Guzowski over 2 years ago. Updated over 2 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
04/07/2020
Due date:
% Done:

0%

Estimated time:

Description

When you type login that does not exist in database, widget will validate this field and mark it invalid.

This is a security issue, since attacker can use this validation system as a probe to check whether given login exists or not.

Expected behaviour for authentication component would be to simply indicate that either login succeeded or failed, but not specify any details of the failure.

#1

Updated by Roel Standaert over 2 years ago

I think there are many opinions on that subject. With most services you can't choose a username that already exists, so another way to find out if a user exists, would be to try to register. I would say the "expected behavior" is not clear, there are different users with different expectations.

#2

Updated by Adrian Guzowski over 2 years ago

Roel Standaert wrote:

I think there are many opinions on that subject. With most services you can't choose a username that already exists, so another way to find out if a user exists, would be to try to register. I would say the "expected behavior" is not clear, there are different users with different expectations.

There are cases when public registration is disabled - if it's optional, so should be this behaviour.

#3

Updated by Roel Standaert over 2 years ago

Yeah, if registration is disabled, I can see that. I was definitely not saying: definitely not. It could be an option, yeah.

Also available in: Atom PDF