FS#329 : Unauthenticated Username Enumeration

Status Closed
Assigned To

cbay
Private

Attached to Project: Security vulnerabilities
Opened by hellofresh01 - 07.05.2026
Last edited by cbay - 07.05.2026

FS#329 - Unauthenticated Username Enumeration

1. Executive Summary
During a security assessment of the security.alwaysdata.com infrastructure, a medium-severity vulnerability was identified in the user registration/validation logic. An unauthenticated endpoint allows for the systematic enumeration of valid usernames. This information disclosure can be leveraged by malicious actors to conduct targeted brute-force attacks, credential stuffing, or sophisticated social engineering campaigns.

2. Vulnerability Information
Field Details
Vulnerability Type Information Exposure (Username Enumeration)
Severity Medium
Status Open
Affected Component searchnames.php
Vector Network / Web API 3. Technical Analysis
Root Cause
The endpoint searchnames.php is designed to provide real-time feedback during the account creation process. However, the root cause of the issue is twofold:

Lack of Authentication: The endpoint is accessible to any unauthenticated user or automated script.

Differential Responses: The server returns distinct boolean strings (true vs false|message) based on whether a username exists in the database.

Vulnerability Details
File Source: [https://security.alwaysdata.com/js/functions.js](https://security.alwaysdata.com/js/functions.js)

Endpoint: [https://security.alwaysdata.com/js/callbacks/searchnames.php](https://security.alwaysdata.com/js/callbacks/searchnames.php)

Parameter: name

4. Proof of Concept (PoC)
The following curl commands demonstrate how an attacker can distinguish between an existing and a non-existing account.

Test 1: Existing Username (Admin)
Bash

curl -s -X GET "https://security.alwaysdata.com/js/callbacks/searchnames.php?name=admin" \
-H "Content-Type: application/json"
Response:

false|That username is already taken. You will need to choose another one.

Test 2: Non-Existent Username
Bash

curl -s -X GET "https://security.alwaysdata.com/js/callbacks/searchnames.php?name=admin123456789" \
-H "Content-Type: application/json"
Response:

true

5. Impact
Targeted Attacks: Attackers can build a list of valid users to perform password spraying or brute-force attacks.

Social Engineering: Knowledge of valid usernames facilitates more convincing phishing attempts against specific employees or users.

Screenshot_9.png (28.6 KiB)

Closed by cbay
07.05.2026 23:03
Reason for closing: Invalid

Comments (3)
Related Tasks (0/0)

cbay commented on 07.05.2026 23:03

Hello,

We're running the latest version of Flyspray, so you should report it to them.

Kind regards,
Cyril

hellofresh01 commented on 08.05.2026 03:28

I dont understand

hellofresh01 commented on 08.05.2026 03:28

bugs.flyspray says : 2024-02-17: revive of bugs.flyspray.org in progress

	Tasks related to this task (0)

Loading...

Keyboard shortcuts

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task