With both Global Redirect and Pathauto modules installed with their respective default options, when a user enters http://example.com/user/[number] they are redirected to http://example.com/users/username instead. The page itself may display an "Access denied" error, but the username for the arbitrary account is exposed in the redirected URL.
By default, Pathauto creates URL aliases for each user account page. By default, Global Redirect does not check that a user has access to a given page before redirecting.
The same combination of module defaults can also expose titles of unpublished content:
With both Global Redirect and Pathauto listed in the SEO Checklist module, they're likely used in tandem on a lot of sites. That said, would it make sense to change the default setting for Menu Access Checking to "Enabled"? The help text for that field mentions avoiding "unexpected behaviour" but it's not clear what that behavior might be.
Fixed
1.0
Code
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
... would it make sense to change the default setting for Menu Access Checking to "Enabled"? The help text for that field mentions avoiding "unexpected behaviour" but it's not clear what that behavior might be.
I agree with the original Issue Summary. I think Menu Access Checking should be enabled by default, to be on the safe side. If it's disabled, you can easily disclose the administrator user name:
Go to /user/1 which redirects to /users/mysecretadminname