Opened 4 years ago
Closed 4 years ago
#50254 closed defect (bug) (duplicate)
User-name Enumeration
Reported by: | virajmota | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Users | Keywords: | |
Focuses: | privacy | Cc: |
Description
Hello Team,
Hope you and your team doing well.
It was observed that we can enumerate the list of username are presently using.
Once the username is found it is possible to bruteforce for a password will see.
Steps:
1) Navigate the below given URL and capture the request in proxy tool.
URL- https://wordpress.com/log-in/link
2) Send the request to repeater and enter guessable username, and in return it throws message as user name is not valid or success (200).
3) For wrong user enter and in response throws user is not valid.
4) For correct once, in response throws 200 status message.
Note : It help an attacker to enumerate the list of "valid" usernames.
Mitigation: Add the custom response for incorrect once.
Attachments (3)
Change History (4)
#1
@
4 years ago
- Component changed from General to Users
- Focuses accessibility coding-standards removed
- Keywords needs-refresh removed
- Milestone Awaiting Review deleted
- Resolution set to duplicate
- Status changed from new to closed
Hi there, welcome to WordPress Trac! Thanks for the report.
Just noting this has been previously reported a few times, most recently in #40667 and #45318.
As stated in the Reporting Security Vulnerabilities handbook article, we don't consider usernames (and by extension, the existence of accounts) to be private. A similar thing can be achieved just by browsing the /author/{slug}
views.
We need to balance user friendliness with information disclosure and as usernames are not considered private information, user friendliness wins here.
Please note that this Trac is used for enhancements and bug reporting for the WordPress core software, it is not the right place to discuss potential security issues, or issues specific to the WordPress.com platform.
Please don't ignore the warning that Trac displays when creating security tickets. If you believe you've found a vulnerability, please disclose it to us privately, via HackerOne.
Related: #3708, #4290, #5301, #12129, #22421, #27125, #31787, #40667.
Non valid username - which is not create yet