Add feature to hide existing credentials #617

Spomky · 2024-07-06T04:18:56Z

The code changes enable suppressing the existing user credential details to enhance security. This feature introduces a preventive measure against username enumeration exploits by concealing the previously existing credentials. The flag 'hide_existing_credentials' has been added to facilitate this change, defaulted to false. This change is particularly important during the attestation ceremony performed by anonymous users.

Target branch: 4.9.x
Resolves issue # none

It is a Bug fix
It is a New feature
Breaks BC
Includes Deprecations

The code changes enable suppressing the existing user credential details to enhance security. This feature introduces a preventive measure against username enumeration exploits by concealing the previously existing credentials. The flag 'hide_existing_credentials' has been added to facilitate this change, defaulted to false. This change is particularly important during the attestation ceremony performed by anonymous users.

Spomky added bug Something isn't working security labels Jul 6, 2024

Spomky added this to the 4.9.0 milestone Jul 6, 2024

Spomky self-assigned this Jul 6, 2024

Spomky force-pushed the bugs/username-enumeration branch from 66a7463 to 64de11f Compare July 6, 2024 04:54

Spomky merged commit a9d1352 into 4.9.x Jul 6, 2024
15 checks passed

Spomky deleted the bugs/username-enumeration branch July 6, 2024 04:56

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add feature to hide existing credentials #617

Add feature to hide existing credentials #617

Spomky commented Jul 6, 2024

Add feature to hide existing credentials #617

Add feature to hide existing credentials #617

Conversation

Spomky commented Jul 6, 2024