WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#25428 closed defect (bug) (duplicate)

All administrator, authors, usernames able to be discovered

Reported by: taipo Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.6.1
Component: Users Keywords:
Focuses: Cc:

Description

By appending ?author=2 ?author=3 or whatever userid number, an attacker is able to retrieve the complete list of usernames including the administrator usernames.

This then gives the attacker an advantage for bruteforcing user password combinations.

Change History (3)

#1 @SergeyBiryukov
7 years ago

  • Keywords needs-patch removed
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #5388, #20235, #23043.

Related: #3708, #4290, #5301, #12129, #14644, #22421.

#2 @taipo
7 years ago

I think the reason why we keep submitting this to be fixed is because it is now common practice to change the name of the initial admin to something obscure, and not use it as the primary username to post from. Many users are now setting up another user with the lowest posting role possible as their primary posting user to protect any username with administrator powers from being discovered and therefore bruteforced. For the reasons that 1/ some sites are actually being brute force cracked even with what they believe is a difficult to crack passwords, and 2/ webhosts tend to find breaches of terms of services faster when its your website slowing their servers down, and this leads to your site being removed or at least receiving a warning about CPU usage or something similar.

This is because right now there are a series of botnets brute-forcing Wordpress logins in this very fashion, first they scan the first 2-3 user id numbers, /i.e /?author=2, /?author=3, etc, then those usernames that are discovered from the pages that load from those requests are jackhammered until their hashes are cracked. The botnets appear to have a lot of resources and are not phased in the slightest by IP banning, but they do appear to move on presumably to another site on their list when via some clever .htaccess code, we ban access to ?author=(some number).

Meanwhile the servers on which the WP websites that receive this type of attention sit, are receiving denial of service attacks which invariably leads to breach of terms of service by the webhosts, and on and on it goes.

So what is needed to prevent this attack is a simple on off setting for public viewing of usernames.

#3 @hameau
7 years ago

Sorry to go back again and again, but I strongly believe that the use of the pseudonym rather than the login might be hardcoded in the core, for the login never appears in the urls, whatever the reason, and I believe that THIS MUST BE DONE BEFORE WP 4.0, which will come soon (just after 3.9, I mean, unless you prefer WP versions going thru 3.10, 3.11 … up to 3.99 before the 4.0?)

Note: See TracTickets for help on using tickets.