~~~ Please read before posting. ~~~

Important: We need your Club Number at a minimum, and as many details as possible.
For further info please read This page before posting.

Do not show pop-up with users on the login screen

  • tm123
  • tm123's Avatar Topic Author
  • Offline
  • New Member
  • New Member
  • Posts: 4
  • Thanks: 0

Do not show pop-up with users on the login screen

10 months 1 week ago
#93987
When loggin in there is this functionality that shows member names after typing first 4 characters:Enter your E-mail, Name, or Username, then select your Name or Username from the pop-up list that displays.
I don't think it's a good idea - it's leaking the names of all the members, even if they choose not to make their name public.
I didn't find anything in the settings to disable this behaviour.
I would suggest to remove it completely.

Please Log in or Create an account to join the conversation.

  • NotLiable
  • NotLiable's Avatar
  • Offline
  • FreeToastHost Ambassador
  • FreeToastHost Ambassador
  • Posts: 252
  • Thanks: 38

Re: Do not show pop-up with users on the login screen

10 months 1 week ago
#93992
The pop-up list that displays is an auto-complete feature in the underlying code.  While yes, it does show names of members who have chosen not to make their profile public (which only shows name and member/officer status as a minimum), I don't see where this is terribly problematic.  Are those members, for whatever reason, totally reluctant to even admit that they are club members?
Yes, you are correct, that there is presently no disable setting, but again, I fail to see how this make-it-faster-and-easier-for-me-to-log-in feature is so troubling.
 

Please Log in or Create an account to join the conversation.

  • tm123
  • tm123's Avatar Topic Author
  • Offline
  • New Member
  • New Member
  • Posts: 4
  • Thanks: 0

Re: Do not show pop-up with users on the login screen

10 months 1 week ago
#93996
To make it simple - it is not about user's preference - it is a security risk. It allows potential attacker to gather valid user names and then use another attack (ie password staffing) to break into that account.
Do not just believe me - have a look at "Account Enumeration" vulnerability, for example:
owasp.org/www-project-web-security-testi...essable_User_Account
www.virtuesecurity.com/kb/username-enumeration/

Please consider removing it from the code completely.

Please Log in or Create an account to join the conversation.

  • Brian
  • Brian's Avatar
  • Offline
  • Administrator
  • Administrator
  • Posts: 10649
  • Thanks: 3580

Re: Do not show pop-up with users on the login screen

10 months 1 week ago - 10 months 6 days ago
#93998
Your issue has already been addressed. Those who do not want their name exposed can use the Username option.

 
Last edit: 10 months 6 days ago by Heni.
The following user(s) said Thank You: Heni

Please Log in or Create an account to join the conversation.

Moderators: BrianPamrhtaylor3marc33NotLiablejgavinLcala305Henipeterb323DebbieT
Time to create page: 0.928 seconds