Bug that allows username and password to be equivalent

(Jonathan) #1

I found an interesting timing bug on Discourse that allows you to be able to have your forum username and password to be the same. When you try to create an account, Discourse does not allow your username and password to be the same. However, you can follow these instructions to have them be the same:

  1. Create an account. (i.e. username can whatever you choose. Password can be HelloWorld100 for example)

  2. When your account is created, go into your user preferences to change your username (If you just go ahead and change your username to be your password and hit, “change username” it will say that the username is unavailable.)

  3. Let’s say your password is HelloWorld100. Now, all you have to do is go into you user preferences and enter HelloWorld1001 as your new username. Quickly press the delete button to delete the extra “1” and then the change username button. Your username will then become equivalent to your password.

I don’t know if this is an issue, but I just wanted to address it just in case. (Even during password reset it won’t allow the username and password to be equivalent. It was just this one case where you had to tap delete and enter very quickly when changing your username!)

Thanks anyway!


I’m also wondering if this timing glitch can bypass other securities such as having the same username as someone else, but I haven’t found anything yet. I will let you know if I find anything else. Thank you!

5 Likes
(Sam Saffron) #2

This protection is just to help avoid cases where people don’t read when signing up. I guess we could put a harder limitation into the software that avoided this edge case, but where do we stop.

What if your name is “Bob Loblaw”, shouldn’t we also match your password there and ban it?

What about “Bob Loblaw1” / 2 / 3 / 4, they are also obvious guesses. It is a very long and windy road.

4 Likes
(Jonathan) #3

Yeah, that makes sense. This timing issue is a very minor bug.

However, there is the possibility it could let you change your username to an already available username (For example a user who is an admin). Would this let you access their account? I don’t know. I will keep doing for research, I just wanted to put it out there that this could be a potential possibility.

(Sam Saffron) #4

No there are extremely hard limits on username name space.

No two (users/groups) can share the same name. Users and groups share the same unique namespace.

3 Likes
(Jeff Atwood) #5

:scream: Hmm @neil we should block this specific case. Username equal to password is suuuper bad mojo.

Granted the window for this is pretty small, you can only change username for a brief time after signing up, but still.

5 Likes
(Sam Saffron) #6

If we are doing this might as well block password from being “name” as well.

So I guess on save

  • If name / username / username_lower changed
  • If it is == password
  • don’t validate
5 Likes
(Neil Lalonde) #8

This case is now handled. Names == password are being blocked now too.

7 Likes
(Jeff Atwood) closed #9