Possibility to enumerate user #13654
Comments
Findus23
added
c: Security
|
I don't think we consider this a security issue. We even provide API methods for users with view access to check if a specific userLogin or userEmail exists. |
|
users with view access have indeed the ability to check whether an account exists, but wondering about anonymous user (thanks for reporting this issue @fadi-assaad), is it currently the only place where one can check whether a given username/email account exists? |
|
I suppose there are couple more places... I wouldn't be surprised if |
|
Hello, do you still consider user enumeration as a non-security issue? If yes, could you please take an official stance and close this issue? And if not, could you please fix it? Thank you for your answer. |
|
In my opinion, this is also a small security gap. A generic message is also displayed when logging in, and not whether the password or the email address is wrong: The same behavior should happen with a password reset. A generic message like |
|
We could change the error message for password reset and instead show a success message at all times and mention the email will be only received if entered correctly. FYI quickly checking few providers and they are also showing an error message similar to us. Some other systems show the success message.
|
|
This issue was picked up during a recent network penetration test, which included a public-facing server with Matomo 5.0.0 installed. After a bit of digging I found this 5-year-old issue :-) The penetration tester noted:
|
In Change your password page, user enumeration is happening and it must change.
Simply replace the message Error: Invalid username or e-mail address. Into something like an email has been sent to the address on record.
The text was updated successfully, but these errors were encountered: