Problem/Motivation

In #1521996: Password reset form reveals whether an email or username is in use we try to find a solution that stops guests to use the 'Request new password' form to learn that a user with a specific email address is registered on the site.

The same privacy issue exists with the 'Create new account' form (as was pointed out by penyaskito).

Steps to reproduce the issue:

  1. Register an account with the email address me@example.com.
  2. Try to register another account with the email address me@example.com.
  3. You’ll get an error:
    The email address me@example.com is already registered. Have you forgotten your password?

Proposed resolution

  • Instead of displaying an error, display exactly the same success message that is used when registering with an unused email address.
    • If email verification is required:
      • In case the address is unused: No change, send the normal registration confirmation.
      • In case the address is already used: Send an email explaining something like: "You or someone else tried to register an account on example.com with your email address me@example.com. However, you already have an account on this site. Did you forget your password? Then …"
    • If email verificiation is not required (i.e., new users are directly logged in after registration):
      • If the same password is used: Just log the old user in, and maybe show a notification that the account already existed.
      • If a different password is used: This becomes ugly … (we can’t tell if the user is the same or not). What could we do? Maybe we should only provide a solution in case email verification is required?

Remaining tasks

User interface changes

API changes

CommentFileSizeAuthor
#29 patch-2346389-29.patch17.74 KBjan kellermann
#28 patch-2346389-28.patch17.8 KBjan kellermann
#27 patch-2346389-27.patch17.8 KBjan kellermann
#26 patch-2346389-26.patch17.87 KBjan kellermann

Issue fork drupal-2346389

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

Carsten Müller’s picture

Carsten Müller commented
Assigned: Unassigned » Carsten Müller

As i'm currently working on #1521996: Password reset form reveals whether an email or username is in use, i can also handle this issue.

Because there the patch from #1521996: Password reset form reveals whether an email or username is in use is needed this issue is currently blocked until it is commited.

David_Rothstein’s picture

David_Rothstein commented

I think the privacy concern here is somewhat overstated, given that Drupal does not verify email address. Once I have an account on a Drupal site, I can edit the account and change the email address to president@whitehouse.gov. That doesn't prove that Barack Obama or his staff are members of the site.

With #85494: Use email verification when changing user email addresses it would be more of an issue though.

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

catch’s picture

catch
he/him
Primary language English
commented
Title: Privacy issue with 'Create new account' form: anonymous can check if someone is registered » Prevent registered e-mail address enumeration via registration and password reset forms
Category: Feature request » Bug report
Issue tags: +Security

Slightly broadening this. The forgotten password form shows an error if an e-mail address isn't registered, which is the opposite of the registration form but amounts to the same thing for the 'is this person registered on this website' check. Can split into separate issues later, but the bug's not really fixed until both registration and password reset have similar behaviour.

Double checked with the security team and there was consensus this could stay public since it's not a vulnerability as such.

David_Rothstein’s picture

David_Rothstein commented
Title: Prevent registered e-mail address enumeration via registration and password reset forms » Prevent registered e-mail address enumeration via user registration form

#1521996: Password reset form reveals whether an email or username is in use already has an in-progress patch for the password reset form, so if this is going to remain a separate issue (which seems OK to me) it probably should focus on the registration form only. Or if they're going to be combined, this should be marked as a duplicate.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

klausi’s picture

klausi
he/him||they/them
Primary language German
Location 🇦🇹 Vienna
commented

I think this is very hard to solve. Even big sites such as Github are revealing if an email address is already taken on their registration form.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

ressa’s picture

ressa
he/him
commented

How about making it harder to check a lot of e-mails by progressively making the response slower and slower? For example, first check could respond after five seconds, the next after ten seconds, etc. After five attempts, the IP involved could be blocked for one hour.

mxr576’s picture

mxr576
Primary language Hungarian
Location Hungary
commented
Version: 8.9.x-dev » 9.2.x-dev
alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented

I think if you have open registration then preventing user enumeration is not as much a concern as with the password reset. That form is useful on every site but once you have user registration at some point you're going to have to deal with telling some an email address is already registered.

I think a potentially interesting avenue to explore is the email verification avenue detailed in the issue summary. But even this is a downgrade in usability.

Version: 9.2.x-dev » 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

mxr576’s picture

mxr576
Primary language Hungarian
Location Hungary
commented

@alexpott with all respects

you're going to have to deal with telling some an email address is already registered.

this is not a direct consequence of the previous.

Several customers' several security teams have raised concerns about all those places where Drupal does/did expose information about existing accounts for non-evaluated users, although it must not. Several other enterprise systems work in a way that they provide the same confirmation message for those accounts that do exist and for those that do not. In case of an error (e.g.: a real user registration failed) users can still contact support.

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Ap...

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

geek-merlin’s picture

geek-merlin
Primary language German
Location Freiburg, Germany
commented

We're also facing this as customer need. This is crucial for the standig of the Drupal framework in GDPR legislations.

oriol_e9g’s picture

oriol_e9g
Primary language Catalan
Location Barcelona
commented

Yes, this is a problem when work with European Union public institutions, sometimes they report email enumeration as a security flaw, and we have some projects where we use hook_form_alter to owerrite #validate and #submit to display the same message when the user enters a valid or invalid email or username.

An alternative solution could be to add a configurable error messages in UI as we have configurable messsage emails on register, then if you want the same message in both cases, simply set the same message error in site settings.

geek-merlin’s picture

geek-merlin
Primary language German
Location Freiburg, Germany
commented
Assigned: Carsten Müller » Unassigned

Assigned 8 years ago...

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

jan kellermann’s picture

jan kellermann commented
StatusFileSize
new patch-2346389-26.patch17.87 KB

tldr

Add 2 options to prevent information disclosure. The patch is a proof of concept with several todos.

a) email verification disabled

Dont show information that name or mail address are in use, just got to the front page and send an information mail to the account holder.

b) email verification enabled

Introducing a two-step registration.

- In 1st step only ask for mail address and consent to policy privacy. If mail address is in use you get a passwort reset link.
- In 2nd step after getting mail create your account.

Long version

I am not sure if this can be fixed without fundamental changes. The register-form is rudimentary. You have information disclosures, you have no consent for processing privacy data per default, you have no automatic routines for deletion unconfirmed users.

We can mitigate each single point - but everytime many custom solutions or contrib modules may break. And I think almost every page has a custom solution because the register form provides only basic functionality.

In an ideal world you have a two-step register process:

1) In the 1st step the user enter their mail address and consent to the privacy policy of the site. They get on the screen in any case: "Thank you for registration. We send you a mail to the given address." Then a mail with register-token or password-reset will be send. (In a real ideal world this double-opt-in would be a service in core and the data would be saved encrypted). Yes, we need a flood-protection. No user user entity will be created at this point (so we have no problem with no-deletion of orphaned users (privacy violation!).).

2) In the 2nd step the user can create their profile. If the site is working with user names (better use only mail address) you have to inform all users that they will be visible to other registered users (and they may use an anonymous nick name).

But this would break many (most?) existing solutions.

My proposal is to add a info-text and add 2 new options to the account settings formular.

The patch is a proof of concept to show the possible process.

Open todos:

- Account-Settings-Form: The states are not working correct - please click on and off to disable correctly.
- two-step: Encrypt / Decrypt data in keystore.
- two-step: No mail is sent after 1st step, you will be instead redirected to the generated URL to register
- two-step: Remove data form keystore.
- Send mail if registration fails in process without email verification.

The patch should apply to D10.1

Please take this as an offer for discussion.

jan kellermann’s picture

jan kellermann commented
StatusFileSize
new patch-2346389-27.patch17.8 KB

Sorry, wrong -p-level in #26

jan kellermann’s picture

jan kellermann commented
StatusFileSize
new patch-2346389-28.patch17.8 KB
jan kellermann’s picture

jan kellermann commented
StatusFileSize
new patch-2346389-29.patch17.74 KB

meeni_dhobale made their first commit to this issue’s fork.

quietone’s picture

quietone commented
Title: Prevent registered e-mail address enumeration via user registration form » Prevent registered email address enumeration via user registration form

prudloff made their first commit to this issue’s fork.

prudloff opened merge request !12376

prudloff’s picture

prudloff commented
Status: Active » Needs work
Issue tags: +Needs tests

I created a MR from the latest patch.

This still needs some tests and there are some @todo in the code.

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.