Bug #7512
openAuth Widget is leaking information about existing users
0%
Description
When you type login that does not exist in database, widget will validate this field and mark it invalid.
This is a security issue, since attacker can use this validation system as a probe to check whether given login exists or not.
Expected behaviour for authentication component would be to simply indicate that either login succeeded or failed, but not specify any details of the failure.
Updated by Roel Standaert almost 5 years ago
I think there are many opinions on that subject. With most services you can't choose a username that already exists, so another way to find out if a user exists, would be to try to register. I would say the "expected behavior" is not clear, there are different users with different expectations.
Updated by Adrian Guzowski almost 5 years ago
Roel Standaert wrote:
I think there are many opinions on that subject. With most services you can't choose a username that already exists, so another way to find out if a user exists, would be to try to register. I would say the "expected behavior" is not clear, there are different users with different expectations.
There are cases when public registration is disabled - if it's optional, so should be this behaviour.
Updated by Roel Standaert almost 5 years ago
Yeah, if registration is disabled, I can see that. I was definitely not saying: definitely not. It could be an option, yeah.