WordPress.org

Make WordPress Core

#50254 closed defect (bug) (duplicate)

User-name Enumeration

Reported by: virajmota Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Users Keywords:
Focuses: privacy Cc:

Description

Hello Team,

Hope you and your team doing well.
It was observed that we can enumerate the list of username are presently using.

Once the username is found it is possible to bruteforce for a password will see.

Steps:
1) Navigate the below given URL and capture the request in proxy tool.
URL- https://wordpress.com/log-in/link

2) Send the request to repeater and enter guessable username, and in return it throws message as user name is not valid or success (200).

3) For wrong user enter and in response throws user is not valid.

4) For correct once, in response throws 200 status message.

Note : It help an attacker to enumerate the list of "valid" usernames.

Mitigation: Add the custom response for incorrect once.

Attachments (3)

valid username 2.png (58.3 KB) - added by virajmota 12 months ago.
Non-valid username.png (58.9 KB) - added by virajmota 12 months ago.
Non valid username - which is not create yet
valid username 3 .png (26.7 KB) - added by virajmota 12 months ago.
Used previous guesses valid username for login- Successful.

Download all attachments as: .zip

Change History (4)

@virajmota
12 months ago

Non valid username - which is not create yet

@virajmota
12 months ago

Used previous guesses valid username for login- Successful.

#1 @SergeyBiryukov
12 months ago

  • Component changed from General to Users
  • Focuses accessibility coding-standards removed
  • Keywords needs-refresh removed
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Hi there, welcome to WordPress Trac! Thanks for the report.

Just noting this has been previously reported a few times, most recently in #40667 and #45318.

As stated in the Reporting Security Vulnerabilities handbook article, we don't consider usernames (and by extension, the existence of accounts) to be private. A similar thing can be achieved just by browsing the /author/{slug} views.

We need to balance user friendliness with information disclosure and as usernames are not considered private information, user friendliness wins here.

Please note that this Trac is used for enhancements and bug reporting for the WordPress core software, it is not the right place to discuss potential security issues, or issues specific to the WordPress.com platform.

Please don't ignore the warning that Trac displays when creating security tickets. If you believe you've found a vulnerability, please disclose it to us privately, via HackerOne.

Related: #3708, #4290, #5301, #12129, #22421, #27125, #31787, #40667.

Note: See TracTickets for help on using tickets.