965149 - username enumeration on forgot password request

Status: RESOLVED DUPLICATE of bug 878035

(Bugzilla :: User Accounts, defect)

Description

[blaa7589]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.102 Safari/537.36

Steps to reproduce:

Sent the following request [Note: no cookies, but token parameter is required]

POST /token.cgi HTTP/1.1
Host: bugzilla.mozilla.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://bugzilla.mozilla.org/buglist.cgi?quicksearch=vv%40fdg.com
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 86

loginname=blaa7588@gmail.com&a=reqpw&token=1390975126-a25bb76646f10c4283d2c958273562b3

I sent 630 requests, modifying the loginname parameter, trying to brute-force guess a valid username. Being able to enumerate usernames is a security issue since it can be used to target users and guess their password(or use leaked passwords from other security breaches if the password is reused).


Actual results:

The application returned response "There is no user named XXX" for an invalid username and "A token for changing your password has been emailed" for a valid username. 

I sent 630 requests, the 490th being a valid username. This indicates that there is no rate limiting either.


Expected results:

The response for every request should have been generic such as "If you have a valid account, you should have received a link to reset your password". Additionally, the length of the response should be the same. Since the token parameter is required, it could be used to rate limit requests too.