784363 - https://support.mozilla.org/en-US/users/api/usernames?term=test parsing usernames

Status: RESOLVED INVALID

(support.mozilla.org :: General, defect)

Description

[Sebi]

User Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.79 Safari/537.1

Steps to reproduce:

Go to
https://support.mozilla.org/en-US/users/api/usernames?term=test
https://support.mozilla.org/en-US/users/api/usernames?term=a
https://support.mozilla.org/en-US/users/api/usernames?term=b
https://support.mozilla.org/en-US/users/api/usernames?term=c
https://support.mozilla.org/en-US/users/api/usernames?term=d
...
https://support.mozilla.org/en-US/users/api/usernames?term=z
https://support.mozilla.org/en-US/users/api/usernames?term=1
https://support.mozilla.org/en-US/users/api/usernames?term=2
..
https://support.mozilla.org/en-US/users/api/usernames?term=9

https://support.mozilla.org/en-US/users/api/usernames?term=ab


Actual results:

usernames are listed 


Expected results:

This can be used to parse large numbers of usernames that can be afterwards attacked using bruteforce

There should be another token in the api calling

Comment 1

[Ricky Rosario [:rrosario, :r1cky]]

usernames are not considered to be private. You can spider the site to collect them all if you wanted. In fact we indicate "Your username will be shown next to your question in our public support forums." during registration.

Comment 2

[James Socol [:jsocol, :james]]

You must already be logged in to use this API, and the username itself isn't private info, as Ricky said.

Bruteforce protection should be at the log-in site, not here.

Comment 3

[Will Kahn-Greene [:willkg] ET needinfo? me]

These bugs are all resolved, so I'm removing the security flag from them.