Bug#727678: wiki.debian.org: Small security related glitch in user registration / login process
Package: wiki.debian.org
Verion: current
Severity: normal
Maybe I missed something, but I think I found a small security
related glitch in the wiki.debian.org registration process.
It seems currently possible to
(a) confirm the existance of a wiki.debian.org account
(b) reveal its linked email address
REMARK:
(a) This might be always possible as you can simply try visiting:
https://wiki.debian.org/SomePerson
? - Did not try to see what happens if one deletes his own Homepage.
(b) This should really be a small security glitch as there is the "General option" on the users "Preferences" page:
"Publish my email (not my wiki homepage) in author info"
Here is what I did:
* Click on "Login"
* Click on "Forgot your password"
* Enter username, email
* You get: "If this account exists an email was sent."
So far so good, but:
* Click on "Login"
* Click on "you can create one now"
* Enter a username you want to know if it exists
* Enter any email adress and any password
* Click "Create Profile"
* You get: "This user name already belongs to somebody else. If this is a new account and you need another verification link, try sending another one."
So this tells you that the account exists.
* Click on "try sending another one" (works even if "User account has already been verified!")
* You get: "Verification message re-sent to knuth@posern.org
And this tells you it's linked email address.
Tormen.
Reply to: