Bug that allows username and password to be equivalent

JonnyGamer · May 12, 2019, 10:43pm

I found an interesting timing bug on Discourse that allows you to be able to have your forum username and password to be the same. When you try to create an account, Discourse does not allow your username and password to be the same. However, you can follow these instructions to have them be the same:

Create an account. (i.e. username can whatever you choose. Password can be HelloWorld100 for example)
When your account is created, go into your user preferences to change your username (If you just go ahead and change your username to be your password and hit, “change username” it will say that the username is unavailable.)
Let’s say your password is HelloWorld100. Now, all you have to do is go into you user preferences and enter HelloWorld1001 as your new username. Quickly press the delete button to delete the extra “1” and then the change username button. Your username will then become equivalent to your password.

I don’t know if this is an issue, but I just wanted to address it just in case. (Even during password reset it won’t allow the username and password to be equivalent. It was just this one case where you had to tap delete and enter very quickly when changing your username!)

Thanks anyway!

I’m also wondering if this timing glitch can bypass other securities such as having the same username as someone else, but I haven’t found anything yet. I will let you know if I find anything else. Thank you!

sam · May 12, 2019, 10:48pm

This protection is just to help avoid cases where people don’t read when signing up. I guess we could put a harder limitation into the software that avoided this edge case, but where do we stop.

What if your name is “Bob Loblaw”, shouldn’t we also match your password there and ban it?

What about “Bob Loblaw1” / 2 / 3 / 4, they are also obvious guesses. It is a very long and windy road.

JonnyGamer · May 12, 2019, 10:53pm

Yeah, that makes sense. This timing issue is a very minor bug.

However, there is the possibility it could let you change your username to an already available username (For example a user who is an admin). Would this let you access their account? I don’t know. I will keep doing for research, I just wanted to put it out there that this could be a potential possibility.

sam · May 12, 2019, 10:55pm

No there are extremely hard limits on username name space.

No two (users/groups) can share the same name. Users and groups share the same unique namespace.

codinghorror · May 13, 2019, 3:09am

Hmm @neil we should block this specific case. Username equal to password is suuuper bad mojo.

Granted the window for this is pretty small, you can only change username for a brief time after signing up, but still.

sam · May 13, 2019, 4:23am

If we are doing this might as well block password from being “name” as well.

So I guess on save

If name / username / username_lower changed
If it is == password
don’t validate

neil · May 14, 2019, 3:27pm

This case is now handled. Names == password are being blocked now too.

https://github.com/discourse/discourse/commit/6f747c6b71c20e1eb22a82e023f3e37683637bfd

Topic		Replies	Views
Can Username Change be limited to number of times? support	11	841	August 2, 2022
A staff action log entry is created every time someone changes their own username or name ux	4	698	September 28, 2020
Any options for over-riding the username restrictions? support	16	3717	April 29, 2021
Password validation for variations on username feature	9	3269	October 15, 2019
Given User Name after responding to Invite Friend invitation feature	15	2116	October 15, 2015

Bug that allows username and password to be equivalent

Related Topics