Prevent User Enumeration from reset password form [#3056388]

We found out, that it is possible to get user names from password reset link by guessing uid's.

I've did a little form alter to remove the username.
See the attached patch.

Cheers
Matthias

Comment	File	Size	Author
#2	user_enumeration_reset_3056388_1.patch	1.36 KB	mfrosch

Comments

22 May 2019 at 14:42

mfrosch created an issue. See original summary.

mfrosch commented 22 May 2019 at 14:43

Status	File	Size
new	user_enumeration_reset_3056388_1.patch	1.36 KB

nicksanta commented 1 December 2019 at 12:32

Assigned:

Unassigned

This is a great find, thank you for providing a patch! I am writing some tests and will commit it to 8.x-1.x branch shortly.

3 December 2019 at 10:09

nicksanta authored 35c8e04 on 8.x-1.x

Issue #3056388 by mfrosch, nicksanta: Prevent User Enumeration from...

nicksanta commented 3 December 2019 at 10:11

Status:

Active

» Fixed

17 December 2019 at 10:14

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.