#3383: Urgent Security Alert: Username Enumeration Vulnerability Found
-----------------------+-----------------------------------------------
Reporter: cvvergara | Owner: sac-tickets@…
Type: task | Status: new
Priority: major | Milestone: Sysadmin Contract 2025-II (vicky)
Component: SysAdmin | Keywords:
-----------------------+-----------------------------------------------
Received a main in info about a security issue
Mail content
---------------------------------
Severity: Medium-High
Bug Name: Username Enumeration
Website: https://osgeo.org
Affected POC: (link omitted for security reasons)
Description:
During our comprehensive security assessment, we identified a Username
Enumeration vulnerability on your site. This flaw allows attackers to
discern valid usernames by analyzing different system responses during
login, password reset, or registration processes. Such information
significantly aids threat actors in launching targeted brute-force or
social engineering attacks, potentially leading to unauthorized account
access, data leakage, or account takeover.
Impact:
- Increases risk of brute-force and credential stuffing attacks.
- Facilitates phishing campaigns by identifying valid user accounts.
- Weakens overall authentication security posture.
Suggested Fix:
- Standardize all authentication-related responses to be generic and
indistinguishable regardless of user validity.
- Implement rate limiting, account lockouts, or CAPTCHA challenges after
multiple failed attempts.
- Audit and secure all endpoints involved in user authentication and
recovery workflows.
White Hat Note:
Our mission is to strengthen cybersecurity for everyone by responsibly
reporting such vulnerabilities. We encourage you to notify us once this
issue has been resolved, so we can perform a retest to confirm the fix. We
look forward to recognizing your commitment to security with a bounty
reward.
---------------------------------
I confirmed that some users (including myself) are listed using the link
provided on affected POC. (link not posted on this ticket for security
purposes)
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/3383>
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.