Username Enumeration Prevention

Created on 24 October 2023, almost 2 years ago

Problem/Motivation

Some parts of the code in email_registration might be prone to username enumeration attacks, see

Drupal itself also doesn't seem to be 100% safe for this: https://www.drupal.org/project/username_enumeration_prevention β†’

So I'm opening this as regular issue, as this
The risk is mitigated by using anti spam methods like Honeypot or CAPTCHA so that the attack can't scale well.

8.x-1.x is also affected, so the fix should be backported or 8.x-1.x should be deprecated when fixed.

Steps to reproduce

Test the existence of usernames in email_registration provided or modified forms.

Proposed resolution

See https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Shee... for possible solutions and how core and the contrib module handles the affected cases

Remaining tasks

User interface changes

API changes

Data model changes

πŸ“Œ Task
Status

Active

Version

2.0

Component

Code

Created by

πŸ‡©πŸ‡ͺGermany Anybody Porta Westfalica

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @Anybody
  • πŸ‡©πŸ‡ͺGermany Anybody Porta Westfalica

    Update: Only the EmailRegistrationLogin checkout pane seems to be affected. Perhaps we can solve this by using a more neutral message?

  • πŸ‡©πŸ‡ͺGermany Anybody Porta Westfalica
  • πŸ‡©πŸ‡ͺGermany Anybody Porta Westfalica

    @Grevil and me just took a look and it's fine. The message is the same with correct user and wrong password and wrong user. So no risk here.

    But it's a good chance to add a test for this, checking all the modified forms :)

    That test should simply check that the error messsage shown is the same for all cases, so Usernames can't be guessed! I think that could ne a nice novice functional testing task?

  • First commit to issue fork.
  • @hlopez opened merge request.
  • Status changed to Needs work almost 2 years ago
  • πŸ‡©πŸ‡ͺGermany Anybody Porta Westfalica

    @hlopez thanks, could you please add a link to this issue in the comments and describe what the test is for - protecting us from user enumeration attacks by comparing the message to the expected core messages?

    I guess password reset should also be tested.

  • First commit to issue fork.
  • πŸ‡ΊπŸ‡ΈUnited States bluegeek9

    bluegeek9 β†’ changed the visibility of the branch 2.x to hidden.

Production build 0.71.5 2024