Shortcut is a core module installed by default when using Standard profile. So that it is quite easy to figure out if a user with a given ID registered on a site.

Comments

Chi created an issue. See original summary.

nicksanta’s picture

nicksanta commented

#2133887: Enumeration still possible through user pages added all routes using the user entity link template. This should include the shortcut module's routes.

Have you tested this on the 8.x-1.0 release?

nicksanta’s picture

nicksanta commented
Status: Active » Postponed (maintainer needs more info)
chi’s picture

chi commented
Status: Postponed (maintainer needs more info) » Active

This should include the shortcut module's routes.

Those routes do not have registered links on user entity. I've just tested on 1.0. The issue still exist.

  • nicksanta authored f0cd5a7 on 8.x-1.x 
    Issue #3101457: Enumeration is still possible through /user/UID/...
nicksanta’s picture

nicksanta commented
Status: Active » Fixed

Fix merged in https://github.com/nicksantamaria/drupal-username_enumeration_prevention... - thanks for the report @Chi!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.