Stop Allowing User Enumeration

  • Resolved HonestRepairAdmin

    (@honestrepairadmin)


    5 years, 11 months ago

    For years it has been possible to enumerate the user ID and username of user accounts created on a fresh installation of WordPress.

    I usually fix the problem myself in functions.php, but today while I was thinking about the new WP release I couldn’t help but wonder why this bug is still around. It’s been part of Metasploit for years, and it takes like 5 LOC to fix.

    Is there a reason WordPress is still vulnerable to this? Could it be fixed soon so I can stop re-modifying my theme every time it gets updated?

Viewing 6 replies - 1 through 6 (of 6 total)
  • Moderator Samuel Wood (Otto)

    (@otto42)

    www.ads-software.com Admin

    User enumeration is not considered to be a security vulnerability.

    Read more here: https://make.www.ads-software.com/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue

    Agreed. Just an FYI that our team changed our position on this a while back and are still working to update documentation and product. I’m mentioning it in case you cite our research.

    Better to spend energy on securing the authentication process through strong passwords and 2 factor authentication.

    Mark.

    Thread Starter HonestRepairAdmin

    (@honestrepairadmin)

    Thanks for engaging with me on this topic. I understand that usernames are made to be shared and email addresses are not generally secret (on an individual basis). However, I still think it’s wrong that anyone on the internet can get a clean .csv of users and user ID for any WordPress website.

    I’m also still looking for the WP team’s rationale on this. I see the fact that you don’t consider this a vuln but I don’t see why. Considering it takes under 10 lines of code to fix I feel that “we don’t think it’s necessary” is a bit of a cop-out.

    Also, I would argue that just by displaying the username on a webpage we are violating the GDPR. Let’s assume I operate an adult entertainment website. Anyone who enumerates my userlist is going to get very personal information about my users (IE: The fact they’re using my website in the first place).

    Obviously contributors are a bit different, as they would be aware that this information gets shared.

    But what if Google gave you a .csv of all accountholders usernames just because you poked around a bit. Don’t you think they would consider that a vulnerability?

    Also, you’re literally giving away the tools a hacker needs to pull off a brute force attack. Strong passwords are great, but if you have a list of usernames in hand brute forcing becomes a joke anyway. There are hundreds of word lists out there. If we disable enumeration an attacker now has to not only guess a password, but a username too.

    The work of writing 10 LOC to harden millions of websites seems trivial. I am just having a hard time understanding why WP wants to invite so much risk for literally no reward and zero development costs. Perhaps you could elaborate?

    It’s probably more than 10 lines of code because the general philosophy has been it’s ok to leak usernames. So consider over 50,000 plugins and 000s of themes that may include leaks and need fixing. If the philosophy changes, then researchers get to open CVEs on a ton of code because it’s now considered ‘insecure’ compared to core.

    Thread Starter HonestRepairAdmin

    (@honestrepairadmin)

    I can respect not breaking existing apps. That seems like the only logical reason to me.

    But if security is merely a “perception” then why is user enumeration disabled on www.ads-software.com? I just tried to enumerate it’s users but it failed. Probably because they’ve added similar code that I added to my WordPress.

    Strange. Why can’t I enumerate your users? I thought it was a simple, innocent, innocuous task that serves good purpose!

    It doesn’t matter what the users or developers think this “feature” is good for. Hackers know this is a weakness and that’s how it’s used in the wild. It doesn’t matter if WordPress devs don’t think it’s important if hackers in the wild are using it. They don’t care if there’s a CVE or not. If they can dump a userlist with curl and bash that’s what they’re gonna do.

    I will gracefully close this request and keep modifying my functions.php as I always have, but please know that I disagree with this being documented “functionality.”

    There might be 5 times in a blog’s life when a user will use this feature the way it’s intended. By contrast it is guaranteed that a blog will be hit by some curl+bash script or Kali+WPScan thousands upon thousands of times by hundreds of bad actors. To me it’s not worth the risk.

    Moderator Samuel Wood (Otto)

    (@otto42)

    www.ads-software.com Admin

    But if security is merely a “perception” then why is user enumeration disabled on www.ads-software.com?

    Because we have 10+ million accounts on this site, and trying to retrieve them all basically breaks the site. But we don’t have it limited everywhere, just on these support forums in particular.

    There might be 5 times in a blog’s life when a user will use this feature the way it’s intended.

    The new editor uses it. It loads a list of users up when allowing you to change the Author of a post, via the REST API.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Stop Allowing User Enumeration’ is closed to new replies.