Usernames are leaked when clicking the "Forgot your password?" link the user login page

Created on 28 July 2021, almost 3 years ago

Updated 11 March 2023, over 1 year ago

Problem/Motivation

When a user attempts to login unsuccessfully the error message will include the link "Forgot your password?" which is a link to the password reset page. The link that is generated is /user/password?name={user name entered by user}

This means that on the password reset page analytic services like Google Analytics will have a copy of the user name (both valid and invalid) and also usernames will also be leaked in the referrer if the users goes to another website from this page.

Steps to reproduce

1. Goto the /user/login and login with an incorrect password.
2. The error message returned says "Unrecognized username or password. Forgot your password?". The "Forgot your password?" is a link to /user/password?name={username entered}
3 Click on the "Forgot your password?" link and you will be directed to the password reset page and because the name field in the querystring is set the name field will be automatically populated.

Proposed resolution

In #4 🐛 Usernames are leaked when clicking the "Forgot your password?" link the user login page Closed: works as designed longwave explained that this is by design and directed readers to Disclosure of usernames and user IDs is not considered a weakness → for the reasons. That documentation also include how to change this behavior using contributed modules.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

🐛 Bug report

Status

Closed: works as designed

Version

9.5

Component

User system →

Last updated about 19 hours ago

Maintained by
🇺🇸United States @moshe weitzman
🇧🇪Belgium @kristiaanvandeneynde

Created by

🇦🇺Australia gordon Melbourne

Live updates comments and jobs are added and updated live.

Bug Smash Initiative

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment over 1 year ago →
🇳🇿New Zealand quietone New Zealand
I closed 🐛 Username shouldn't be added to the pass reset link on failed login attempt Closed: duplicate as a duplicate, adding credit.
Comment over 1 year ago →
🇧🇪Belgium brentg Ghent
quietone → credited brentg → .
Comment over 1 year ago →
🇳🇿New Zealand quietone New Zealand
Status changed to Closed: works as designed over 1 year ago4:59am 11 March 2023
Comment over 1 year ago →
🇳🇿New Zealand quietone New Zealand
@gordon, thanks for bring this up.

Reading the issue I see that #4 explains this behavior. Having read that and the linked documentation I think that this is working as designed. I have updated the Issue Summary based on #4 and am closing this as works as designed.

Thanks

contrib.social Blog FAQ Discussions

Production build 0.69.0 2024