For example, sometimes I need to post debug messages to internet like this:
No such file : /Users/xxxxx/Documents/test.sh
My question is, is forgetting replacing the login name into xxxxx a security risk?
Asked
Active
Viewed 151 times
2 Answers
1
The revealed username would only be a real security problem if this MacOS computer is directly exposed to the Internet with remote accessible services like SSH, where the username could be used. The username alone would most likely be used for brute force attacks.
The brute force attack would not be that effective, if you have a strong password (and possibly Fail2Ban). However, people often have weaker passwords on their personal computers as they need to type it frequently.
Username information is only useful for brute force attacks if the intruder also knows the IP address of his target.
Other parts of the PATH may, however, reveal something more directly usable. Say you have e.g. /Users/username/public_html/path/to/known/vulnerable.php that could be directly exploited without brute forcing any passwords.
Then, there's all the possible privacy issues, but as you send this information voluntarily, you are probably already aware of those.
Esa Jokinen
- 16,100
- 5
- 50
- 55
0
It is data leakage, now an attacker would know that if they wanted to brute force pw attack your account that is a username to use.
But really it is fairly low on the risk scale in my opinion.
If you were running a production site, I prefer to remove any public facing error messages that include things like paths from those.
Joe M
- 2,997
- 1
- 6
- 13