Contrib.social

[policy] Consider username enumerations as security bugs that require Security Advisories

Open on Drupal.org β†’
Created on 7 October 2021, over 3 years ago
Updated 10 April 2023, about 2 years ago

Problem/Motivation

The security team currently does not accept security issues related to username enumeration (as per Disclosure of usernames and user IDs is not considered a weakness β†’ ) as part of the Security Advisory process even if usernames can be considered as personal information. (GDPR)

Proposed resolution

  • File public issues to find and and fix all the places in that future release that allow username enumeration or disclosure
  • Change the policy to be the opposite in an upcoming release: username enumeration is a privacy breach in core and contrib.
  • Release that version of Drupal core that does not contain ways to enumerate usernames.
  • After that release, username enumerations are handled by the Security Team and releases that fix them get Security Advisories.

Background

(The rest of the description was moved from the #3240913 β†’ )

What can be a username in 2021?
* a nickname (good old IRC days)
* a combination of first name + last name
* An email address (which usually contains the combination of a first name + last name)
* ...

What information a username can expose?

* personal information: first name + last name, email address (GDPR)
* Information about the company that a person is working for based on the email domain - in the enterprise world, just by knowing that XY is working with/for YZ, or XY is using this provider, you already have leverage. As a business persona, you can reach them, make counter offers or use this information anyhow to create damage for the other and value for you. As a malicious actor, you attack these ppl (eg.: with social engineering). Even bots can collect this information, and if usernames are email addresses can start sending some viagra... (spam protection is not working on JSON API endpoints ;) )

How usernames are set in Drupal?
* the traditional way, users choose their username - they are in control in this case
* the username is hidden and auto-generated from the provided information, for example, from the provided username via Email Registration β†’
* (typical enterprise example) it is auto-populated from an IDP when the user logs in via SSO and users may not even know what information is being shared between the involved systems - this also means that even if Drupal developers set the mapping between IDP attributes and user data, sometimes they do not even know what information is going to be stored in the username field because they never accessed production data

I think it is important to highlight that just by registration on the a, by default, you only accept that the site owners get access to your personal data (see above), not everyone.

A personal data breach is...

What is a personal data breach?
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.

Example

Personal data breaches can include:

* access by an unauthorised third party;
* deliberate or accidental action (or inaction) by a controller or processor;
* sending personal data to an incorrect recipient;
* computing devices containing personal data being lost or stolen;
* alteration of personal data without permission; and
* loss of availability of personal data.

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-t....

At last but not least... let me disagree with

Drupal's philosophy
Usernames are an important part of online identity. Having a public username helps other users of a site to know the identity of the person they are interacting with, in a forum or a blog. Drupal is primarily intended to be used for sites where identity and interaction are key elements so it is reasonable for that information to be public.

My personal opinion: Drupal is a lot more than that for a long time. It is not just for hobbyists anymore. It is used by big enterprises for various use cases (e.g.: developer portals, developer experience platforms and see other case studies β†’ ) and the traditional CMS features like content management, blogging, commenting are secondary or least important features of the software. Developers are also using Drupal as a framework. If Drupal wants to be an enterprise-ready software, it has the growth for the task.

Related

* https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Shee...
* https://www.drupal.org/project/username_enumeration_prevention β†’

🌱 Plan
Status

Active

Version

10.0 ✨

Component
DocumentationΒ  β†’

Last updated 4 days ago

No maintainer
Created by

πŸ‡­πŸ‡ΊHungary mxr576 Hungary

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the β€œReport a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

  • Needs product manager review

    It is used to alert the product manager core committer(s) that an issue represents a significant new feature, UI change, or change to the "user experience" of Drupal, and their signoff is needed. If an issue significantly affects the usability of Drupal, use Needs usability review instead (see the governance policy draft for more information).

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment about 2 years ago β†’
    cilefen
  • Comment about 2 years ago β†’
    cilefen
  • Comment about 2 years ago β†’
    cilefen
  • Comment 8 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cmlara

    Changing queues as this is more a DST policy discussion impacting the entire D.O. ecosystem than it is a core issue.

  • Comment 8 months ago β†’
    πŸ‡­πŸ‡ΊHungary mxr576 Hungary

    It would have to be the formatter for usernames

    Yes, \Drupal\user\Plugin\Field\FieldFormatter\UserNameFormatter() should be used everywhere and the getDisplayName() should be deprecated on the user entity.

    The entire view's access could also include a check for that permission, right?

    Yes, the user entity's access handler could make a decision based on any condition, like a site-wide permission or a state of a checkbox on the user entity that indicates whether the user gave consent for exposings its username on the site or not.

    I would also add that one obvious location on every Drupal site for exposing usernames is the Author field on nodes that does not check whether the user gave consent for exposing their names or not (must be relying in an "explicit consent" which either given or not.)

  • Comment 8 months ago β†’
    πŸ‡­πŸ‡ΊHungary mxr576 Hungary

    Yes, \Drupal\user\Plugin\Field\FieldFormatter\UserNameFormatter() should be used everywhere and the getDisplayName() should be deprecated on the user entity.

    Took a look at UserNameFormatter and template_preprocess_username() again and it just feels odd, misplaced and very much a D7-heritage that a template preprocess function tries to ensure proper access checking before rendering. Getting rid of this and moving things around could be tricky, but IMO the field formatter (and other username field formatters) should be responsible for checking access to the data before they pass that to the rendering layer. See πŸ› The entity link label formatter should check URL access RTBC and πŸ› StringFormatter always displays links to entity even if the user in context does not have access Needs work .

    This worth a new child issue that can be tackled as a dedicated effort, am I correct?

  • Comment 8 months ago β†’
    πŸ‡¬πŸ‡§United Kingdom catch

    @mxr576 yes any issues to improve core's username rendering/access should be separate core issues in the queue and can be worked on completely independently of this policy issue. I'd probably recommend a core meta issue (if there's not already one) related to this issue, then sub-issues under that.

    One place usernames get rendered in a non-standard way is in the node 'submitted' template variable which should be moved to an extra field per ✨ [META] Expose Title and other base fields in Manage Display Active .

  • Comment 8 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States greggles Denver, Colorado, USA

    The steps laid out in the issue summary indicate the security team would get involved very late in this process. It's not a policy for the security team to decide separately from the core process.

  • Comment 8 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cmlara

    @greggles Perhaps you meant this needed an IS update instead?

    This is regarding DST policy, and would cover ALL modules on Drupal.Org not just core. Core does not set the D.O. security policy, the DST does.

  • Comment 8 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States greggles Denver, Colorado, USA

    It might need one, but I still feel it belongs in the core queue until/unless it finishes with steps like the product manager review.

  • Comment 8 months ago β†’
    πŸ‡³πŸ‡ΏNew Zealand quietone
  • Comment 6 months ago β†’
    πŸ‡·πŸ‡΄Romania claudiu.cristea Arad πŸ‡·πŸ‡΄

    What about user selection widgets with autocomplete? They use to show the username

  • Comment 6 months ago β†’
    πŸ‡­πŸ‡ΊHungary mxr576 Hungary

    What about user selection widgets with autocomplete? They use to show the username

    Those are tricky ones indeed. Most likely they can only list usernames of users that the given user (current user) has view access to their usernames. For stored values, when the given user (current) user does not have access to view the other user's username it must display a placeholder (or just the user id, this is what we have in our solution).

  • Comment 5 months ago β†’
    πŸ‡­πŸ‡ΊHungary mxr576 Hungary

    Thank you to everyone following this issue and to those who join the conversation in the future!

    We’ve just published a blog post that explains why we believe this topic is critically important. The post also serves as a release announcement for two contributed modules we developed in-house to address this challenge:

    These modules do not require any API changes in Drupal core but aim to provide immediate, practical solutions. Ideally, a comprehensive solution would involve robust new APIs for managing personally identifiable information (PII), including but not limited to usernames.

    We hope these contributed modules can help move the discussion forward and pave the way for the necessary enhancements in core.

  • Comment 4 months ago β†’
    πŸ‡­πŸ‡ΊHungary mxr576 Hungary
  • Comment 4 months ago β†’
    πŸ‡ͺπŸ‡ΈSpain penyaskito Seville πŸ’ƒ, Spain πŸ‡ͺπŸ‡Έ, UTC+2 πŸ‡ͺπŸ‡Ί

    @claudiu.cristea #43 Those are behind a secret based on the salt. See \Drupal\Core\Entity\Element\EntityAutocomplete::processEntityAutocomplete and \Drupal\system\Controller\EntityAutocompleteController::handleAutocomplete $selection_settings_key argument.

  • Comment 4 months ago β†’
    πŸ‡­πŸ‡ΊHungary mxr576 Hungary

    Hm, reminder to me to check if there is missing entity access check
    in \Drupal\Core\Entity\Plugin\EntityReferenceSelection\DefaultSelection::getReferenceableEntities() - because it seems it only relies on query level access checking... - and that could be a reason why the "Author" autocomplete works interesting in node edit form when View Usernames and friends are enabled.

  • Comment 4 months ago β†’
    πŸ‡·πŸ‡΄Romania claudiu.cristea Arad πŸ‡·πŸ‡΄

    @penyaskito but it's still username enumeration, right?

  • Comment 4 months ago β†’
    πŸ‡­πŸ‡ΊHungary mxr576 Hungary

    if there is missing entity access check
    in \Drupal\Core\Entity\Plugin\EntityReferenceSelection\DefaultSelection::getReferenceableEntities() - because it seems it only relies on query level access checking...

    Indeed, that is the reason.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024