cancel
Showing results for 
Search instead for 
Did you mean: 

User Enumeration vulnerability mitigation

User Enumeration vulnerability mitigation

Hello,

 

Among various security vulnerabilities, Magento 1 had one known as User Enumeration

For example, it was possible to reproduce it by trying to register new account - if email of existing registered customer is being used during registration of new customer the system will explicitly notify user about this, thus valid username will be revealed.

Is it mitigated somehow in Magento 2? In which way?

 

Thank you

1 REPLY 1

Re: User Enumeration vulnerability mitigation

I will pass this on to the security team to check. It is always a challenge with such a big surface area of the product (lots of pages, APIs, etc available over the web) to make sure they are all protected. But agree, this should be on the list if not already done.

 

Talking about security in public is always a challenge as you want to help merchants without helping the bad guys as well.