[wp-trac] [WordPress Trac] #50254: User-name Enumeration

WordPress Trac noreply at wordpress.org
Tue May 26 11:16:06 UTC 2020 

#50254: User-name Enumeration
--------------------------+------------------------
 Reporter:  virajmota     |       Owner:  (none)
     Type:  defect (bug)  |      Status:  closed
 Priority:  normal        |   Milestone:
Component:  Users         |     Version:
 Severity:  normal        |  Resolution:  duplicate
 Keywords:                |     Focuses:  privacy
--------------------------+------------------------
Changes (by SergeyBiryukov):

 * status:  new => closed
 * focuses:  accessibility, privacy, coding-standards => privacy
 * component:  General => Users
 * milestone:  Awaiting Review =>
 * keywords:  needs-refresh =>
 * resolution:   => duplicate


Comment:

 Hi there, welcome to WordPress Trac! Thanks for the report.

 Just noting this has been previously reported a few times, most recently
 in #40667 and #45318.

 As stated in the [https://make.wordpress.org/core/handbook/testing
 /reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-
 user-ids-not-a-security-issue Reporting Security Vulnerabilities] handbook
 article, we don't consider usernames (and by extension, the existence of
 accounts) to be private. A similar thing can be achieved just by browsing
 the `/author/{slug}` views.

 We need to balance user friendliness with information disclosure and as
 [https://halfelf.org/2014/username-secret/ usernames are not considered
 private information], user friendliness wins here.

 Please note that this Trac is used for enhancements and bug reporting for
 the WordPress core software, it is not the right place to discuss
 potential security issues, or issues specific to the WordPress.com
 platform.

 Please don't ignore the warning that Trac displays when creating security
 tickets. If you believe you've found a vulnerability, please
 [https://make.wordpress.org/core/handbook/testing/reporting-security-
 vulnerabilities/#where-do-i-report-security-issues disclose it to us
 privately], [https://hackerone.com/wordpress via HackerOne].

 Related: #3708, #4290, #5301, #12129, #22421, #27125, #31787, #40667.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/50254#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list