Contrib.social

[policy] Consider username enumerations as security bugs that require Security Advisories

Open on Drupal.org โ†’
Created on 7 October 2021, over 3 years ago
Updated 10 April 2023, about 2 years ago

Problem/Motivation

The security team currently does not accept security issues related to username enumeration (as per Disclosure of usernames and user IDs is not considered a weakness โ†’ ) as part of the Security Advisory process even if usernames can be considered as personal information. (GDPR)

Proposed resolution

  • File public issues to find and and fix all the places in that future release that allow username enumeration or disclosure
  • Change the policy to be the opposite in an upcoming release: username enumeration is a privacy breach in core and contrib.
  • Release that version of Drupal core that does not contain ways to enumerate usernames.
  • After that release, username enumerations are handled by the Security Team and releases that fix them get Security Advisories.

Background

(The rest of the description was moved from the #3240913 โ†’ )

What can be a username in 2021?
* a nickname (good old IRC days)
* a combination of first name + last name
* An email address (which usually contains the combination of a first name + last name)
* ...

What information a username can expose?

* personal information: first name + last name, email address (GDPR)
* Information about the company that a person is working for based on the email domain - in the enterprise world, just by knowing that XY is working with/for YZ, or XY is using this provider, you already have leverage. As a business persona, you can reach them, make counter offers or use this information anyhow to create damage for the other and value for you. As a malicious actor, you attack these ppl (eg.: with social engineering). Even bots can collect this information, and if usernames are email addresses can start sending some viagra... (spam protection is not working on JSON API endpoints ;) )

How usernames are set in Drupal?
* the traditional way, users choose their username - they are in control in this case
* the username is hidden and auto-generated from the provided information, for example, from the provided username via Email Registration โ†’
* (typical enterprise example) it is auto-populated from an IDP when the user logs in via SSO and users may not even know what information is being shared between the involved systems - this also means that even if Drupal developers set the mapping between IDP attributes and user data, sometimes they do not even know what information is going to be stored in the username field because they never accessed production data

I think it is important to highlight that just by registration on the a, by default, you only accept that the site owners get access to your personal data (see above), not everyone.

A personal data breach is...

What is a personal data breach?
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.

Example

Personal data breaches can include:

* access by an unauthorised third party;
* deliberate or accidental action (or inaction) by a controller or processor;
* sending personal data to an incorrect recipient;
* computing devices containing personal data being lost or stolen;
* alteration of personal data without permission; and
* loss of availability of personal data.

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-t....

At last but not least... let me disagree with

Drupal's philosophy
Usernames are an important part of online identity. Having a public username helps other users of a site to know the identity of the person they are interacting with, in a forum or a blog. Drupal is primarily intended to be used for sites where identity and interaction are key elements so it is reasonable for that information to be public.

My personal opinion: Drupal is a lot more than that for a long time. It is not just for hobbyists anymore. It is used by big enterprises for various use cases (e.g.: developer portals, developer experience platforms and see other case studies โ†’ ) and the traditional CMS features like content management, blogging, commenting are secondary or least important features of the software. Developers are also using Drupal as a framework. If Drupal wants to be an enterprise-ready software, it has the growth for the task.

Related

* https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Shee...
* https://www.drupal.org/project/username_enumeration_prevention โ†’

๐ŸŒฑ Plan
Status

Active

Version

10.0 โœจ

Component
Documentationย  โ†’

Last updated 2 days ago

No maintainer
Created by

๐Ÿ‡ญ๐Ÿ‡บHungary mxr576 Hungary

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupalโ€™s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the โ€œReport a security vulnerabilityโ€ link in the project pageโ€™s sidebar. See how to report a security issue for details.

  • Needs product manager review

    It is used to alert the product manager core committer(s) that an issue represents a significant new feature, UI change, or change to the "user experience" of Drupal, and their signoff is needed. If an issue significantly affects the usability of Drupal, use Needs usability review instead (see the governance policy draft for more information).

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment about 2 years ago โ†’
    cilefen
  • Comment about 2 years ago โ†’
    cilefen
  • Comment about 2 years ago โ†’
    cilefen
  • Comment 9 months ago โ†’
    ๐Ÿ‡บ๐Ÿ‡ธUnited States cmlara

    Changing queues as this is more a DST policy discussion impacting the entire D.O. ecosystem than it is a core issue.

  • Comment 9 months ago โ†’
    ๐Ÿ‡ญ๐Ÿ‡บHungary mxr576 Hungary

    It would have to be the formatter for usernames

    Yes, \Drupal\user\Plugin\Field\FieldFormatter\UserNameFormatter() should be used everywhere and the getDisplayName() should be deprecated on the user entity.

    The entire view's access could also include a check for that permission, right?

    Yes, the user entity's access handler could make a decision based on any condition, like a site-wide permission or a state of a checkbox on the user entity that indicates whether the user gave consent for exposings its username on the site or not.

    I would also add that one obvious location on every Drupal site for exposing usernames is the Author field on nodes that does not check whether the user gave consent for exposing their names or not (must be relying in an "explicit consent" which either given or not.)

  • Comment 9 months ago โ†’
    ๐Ÿ‡ญ๐Ÿ‡บHungary mxr576 Hungary

    Yes, \Drupal\user\Plugin\Field\FieldFormatter\UserNameFormatter() should be used everywhere and the getDisplayName() should be deprecated on the user entity.

    Took a look at UserNameFormatter and template_preprocess_username() again and it just feels odd, misplaced and very much a D7-heritage that a template preprocess function tries to ensure proper access checking before rendering. Getting rid of this and moving things around could be tricky, but IMO the field formatter (and other username field formatters) should be responsible for checking access to the data before they pass that to the rendering layer. See ๐Ÿ› The entity link label formatter should check URL access RTBC and ๐Ÿ› StringFormatter always displays links to entity even if the user in context does not have access Needs work .

    This worth a new child issue that can be tackled as a dedicated effort, am I correct?

  • Comment 9 months ago โ†’
    ๐Ÿ‡ฌ๐Ÿ‡งUnited Kingdom catch

    @mxr576 yes any issues to improve core's username rendering/access should be separate core issues in the queue and can be worked on completely independently of this policy issue. I'd probably recommend a core meta issue (if there's not already one) related to this issue, then sub-issues under that.

    One place usernames get rendered in a non-standard way is in the node 'submitted' template variable which should be moved to an extra field per โœจ [META] Expose Title and other base fields in Manage Display Active .

  • Comment 9 months ago โ†’
    ๐Ÿ‡บ๐Ÿ‡ธUnited States greggles Denver, Colorado, USA

    The steps laid out in the issue summary indicate the security team would get involved very late in this process. It's not a policy for the security team to decide separately from the core process.

  • Comment 9 months ago โ†’
    ๐Ÿ‡บ๐Ÿ‡ธUnited States cmlara

    @greggles Perhaps you meant this needed an IS update instead?

    This is regarding DST policy, and would cover ALL modules on Drupal.Org not just core. Core does not set the D.O. security policy, the DST does.

  • Comment 9 months ago โ†’
    ๐Ÿ‡บ๐Ÿ‡ธUnited States greggles Denver, Colorado, USA

    It might need one, but I still feel it belongs in the core queue until/unless it finishes with steps like the product manager review.

  • Comment 9 months ago โ†’
    ๐Ÿ‡ณ๐Ÿ‡ฟNew Zealand quietone
  • Comment 7 months ago โ†’
    ๐Ÿ‡ท๐Ÿ‡ดRomania claudiu.cristea Arad ๐Ÿ‡ท๐Ÿ‡ด

    What about user selection widgets with autocomplete? They use to show the username

  • Comment 7 months ago โ†’
    ๐Ÿ‡ญ๐Ÿ‡บHungary mxr576 Hungary

    What about user selection widgets with autocomplete? They use to show the username

    Those are tricky ones indeed. Most likely they can only list usernames of users that the given user (current user) has view access to their usernames. For stored values, when the given user (current) user does not have access to view the other user's username it must display a placeholder (or just the user id, this is what we have in our solution).

  • Comment 6 months ago โ†’
    ๐Ÿ‡ญ๐Ÿ‡บHungary mxr576 Hungary

    Thank you to everyone following this issue and to those who join the conversation in the future!

    Weโ€™ve just published a blog post that explains why we believe this topic is critically important. The post also serves as a release announcement for two contributed modules we developed in-house to address this challenge:

    These modules do not require any API changes in Drupal core but aim to provide immediate, practical solutions. Ideally, a comprehensive solution would involve robust new APIs for managing personally identifiable information (PII), including but not limited to usernames.

    We hope these contributed modules can help move the discussion forward and pave the way for the necessary enhancements in core.

  • Comment 4 months ago โ†’
    ๐Ÿ‡ญ๐Ÿ‡บHungary mxr576 Hungary
  • Comment 4 months ago โ†’
    ๐Ÿ‡ช๐Ÿ‡ธSpain penyaskito Seville ๐Ÿ’ƒ, Spain ๐Ÿ‡ช๐Ÿ‡ธ, UTC+2 ๐Ÿ‡ช๐Ÿ‡บ

    @claudiu.cristea #43 Those are behind a secret based on the salt. See \Drupal\Core\Entity\Element\EntityAutocomplete::processEntityAutocomplete and \Drupal\system\Controller\EntityAutocompleteController::handleAutocomplete $selection_settings_key argument.

  • Comment 4 months ago โ†’
    ๐Ÿ‡ญ๐Ÿ‡บHungary mxr576 Hungary

    Hm, reminder to me to check if there is missing entity access check
    in \Drupal\Core\Entity\Plugin\EntityReferenceSelection\DefaultSelection::getReferenceableEntities() - because it seems it only relies on query level access checking... - and that could be a reason why the "Author" autocomplete works interesting in node edit form when View Usernames and friends are enabled.

  • Comment 4 months ago โ†’
    ๐Ÿ‡ท๐Ÿ‡ดRomania claudiu.cristea Arad ๐Ÿ‡ท๐Ÿ‡ด

    @penyaskito but it's still username enumeration, right?

  • Comment 4 months ago โ†’
    ๐Ÿ‡ญ๐Ÿ‡บHungary mxr576 Hungary

    if there is missing entity access check
    in \Drupal\Core\Entity\Plugin\EntityReferenceSelection\DefaultSelection::getReferenceableEntities() - because it seems it only relies on query level access checking...

    Indeed, that is the reason.

  • Comment 2 days ago โ†’
    ๐Ÿ‡ณ๐Ÿ‡ฟNew Zealand quietone

    Change the policy to be the opposite in an upcoming release: username enumeration is a privacy breach in core and contrib.

    Where is the current policy documented?

  • Comment 2 days ago โ†’
    ๐Ÿ‡ฌ๐Ÿ‡งUnited Kingdom catch

    Current security team policy on this is here:
    https://www.drupal.org/drupal-security-team/security-team-procedures/dis... โ†’

    I think that eventually changing the policy would still overall be a security team decision (or some kind of joint core committer/security team decision), but it's impossible (or at least useless) to treat username enumeration as an issue to be handled in public until all known public issues are fixed, hence the change of project in #39.

  • Comment 2 days ago โ†’
    ๐Ÿ‡ฉ๐Ÿ‡ชGermany FeyP

    Where is the current policy documented?

    As already stated in the motivation section of the IS, this is currently documented at https://www.drupal.org/drupal-security-team/security-team-procedures/dis... โ†’

  • Comment 2 days ago โ†’
    ๐Ÿ‡บ๐Ÿ‡ธUnited States cmlara

    I think that eventually changing the policy would still overall be a security team decision (or some kind of joint core committer/security team decision), but it's impossible (or at least useless) to treat username enumeration as an issue to be handled in public until all known public issues are fixed, hence the change of project in #39.

    I would suggest the core team think of the DST policy as a 'minimum standard' that they will be held to by the DST and that they can be stricter if they desire.

    I also suggest the Drupal Core team (and the Drupal Security Team) take into account the points made in ๐Ÿ’ฌ Publication of CVE-2024-45440 by MITRE Active regarding how their policies really do not matter as much as what the global security industry opinion on the situation is. Note: I do believe since that incident the DST starting to better align with normal industry practices, I've had less tension with them regarding publications and they appear to be more accepting and understanding of the industry as a whole.

    There is potential here that should the Drupal Core team fail to adopt the policy proposed in this issue that going forward they may find themselves in the same situation as ๐Ÿ› Maintenance pages leak sensitive environment information. Needs review where the vulnerability was publicly disclosed per the DST/Core Team request, a CVE was acquired, and the Drupal Core Team had to 'scramble' to release a fix in order to allow site owners to deploy Drupal Core.

    Once Drupal Core is on GitLab issues, even if the DST does not work with the Core team there should be the ability to flag issues as Confidential allowing them to be 'worked in private' and the Core team can invoke CNA Rules v4.1.0 section 4.1.1 (Supplier determination) for publication of a CVE record.

    The above applies to all the existing publicly available Username Enumerations, they could potentially be assigned a CVE ID at any time. The core team may wish to consider adjusting its target priorities to resolve the underlying concerns sooner rather than later.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024