1

I couldn't find any other post on stack exchange talking about this.

I have found a way to get a website to list all users and their names. Is this considered a vulnerability? This website does have a bug bounty.

I think this might be a vulnerability, because an attacker could enumerate the user list and test the top 3 passwords or something, then switch to another proxy and try the next account. I don't know if this is worth reporting or not, however.

So here are my questions: Is this a vulnerability? What is its severity? Is it worth reporting? And if it is a vulnerability, what other ways could someone exploit this?

Edit: This question is talking about actually being able to list every single user and their names. Not just being able to check whether or not a user exists. I don't know how to "unmark" this as a duplicate.

user149925
  • 45
  • 5
  • this is definitely a vulnerability and worth reporting! – NtFreX Jun 02 '17 at 18:20
  • 1
    We have tons of questions about username enumeration. E.g. [this](https://security.stackexchange.com/questions/158075/is-it-unsafe-to-show-message-that-username-account-does-not-exist-at-login), [this](https://security.stackexchange.com/questions/4729/should-usernames-be-kept-secret) and [this](https://security.stackexchange.com/questions/42872/user-name-enumeration). – Arminius Jun 02 '17 at 18:21
  • 1
    @Arminius arent those questions all about if its secure to show that a user exists after the username has been entered? This questions seems to be about a issue where he can list all users. – NtFreX Jun 02 '17 at 19:06
  • @Dr.Fre In my opinion, the arguments in that case aren't fundamentally different. But if you think that's a separate issue that justifies an individual question, you might want to emphasize this aspect in the question and ask for a reopen. – Arminius Jun 02 '17 at 19:39
  • It's not a wordpress site right ? – t.m.adam Jun 02 '17 at 21:06
  • This is a request to reopen this question: I found a way to get the site to display a list of every single user's names (real name, but arbitrary, so it could also not be their real name) and usernames. I am not asking whether or not sites should hide the username on registration (or any of the other circumstances noted in the questions that @Arminus mentioned). I am asking if user listing is considered a vulnerability. The ability to not just check whether usernames exist or not, but to actually be able to get a list of every single user and their name. – Aaron Esau Jun 03 '17 at 22:54
  • @t.m.adam No, this is not a wordpress site. No CMS, in fact. – Aaron Esau Jun 03 '17 at 22:58
  • @Arminus I edited the question to emphasize the aspect of the question. Thanks. – Aaron Esau Jun 03 '17 at 22:59
  • 1
    Oh sorry, I just realized I was commenting from my second account. The @Arin user is me. – user149925 Jun 03 '17 at 23:01
  • This question has been incorrectly marked as a duplicate. Please reopen it. Read the edit for an explanation of why I believe this is not a duplicate. Thank you. – user149925 Jan 22 '18 at 05:38

0 Answers0