username leak. remove "user found" from login page

Question

username leak. remove "user found" from login page

Closed this issue 5 months ago · 2 comments

anyone can scrape usernames from an NSS service by using the login page, since it discloses “user found”. (CWE - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor (4.13) )

Answer 1 · 2024-02-21T12:37:20.000Z

Davi found this defect yesterday.
Looks like it could be fixed by just changing the error message sent back to the browser to something like...'The username and password combination is not valid'

Answer 2 · 2024-02-21T13:34:55.000Z

Thanks for reporting.