It is possible to check if a user exists in Bitbucket (either internal or external directories) on a login page

XMLWordPrintable

    • 1
    • Severity 3 - Minor
    • 1

      Issue Summary

      It is possible to check if a user exists in Bitbucket (either internal or external directories) on a login page by typing a username & incorrect password combination.

      This is reproducible on Data Center: (yes)

      Steps to Reproduce

      1. Go to the Bitbucket logging page.
      2. Try to log in with a user that exists in any of the Bitbucket user's directories.
      3. Try to log in with a user that doesn't exist in any of the Bitbucket user's directories.

      Expected Results

      Error messages in both cases are the same:

      Actual Results

      Error messages are different in both cases allowing usernames discovery:

      User exists in a directory:

      User doesn't exist in a directory:

      Workaround

      Currently, there is no known workaround for this behavior. A workaround will be added here when available

        1. image-2022-11-22-12-00-24-561.png
          image-2022-11-22-12-00-24-561.png
          29 kB
        2. image-2022-11-22-11-59-52-670.png
          image-2022-11-22-11-59-52-670.png
          21 kB
        3. image-2022-11-22-11-59-14-913.png
          image-2022-11-22-11-59-14-913.png
          21 kB

            Assignee:
            Unassigned
            Reporter:
            Tomasz Tokarczuk (Inactive)
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: