Urgent Security Alert: Username Enumeration Vulnerability Found on https://opendap.org
Stella Adam
Severity: Medium-High
Bug Name: Username Enumeration
Website:
https://opendap.org
Affected POC: https://opendap.org/wp-json/wp/v2/users/
Description:
During our comprehensive security assessment, we identified a Username Enumeration vulnerability on your site. This flaw allows attackers to discern valid usernames by analyzing different system responses during login, password reset, or registration processes. Such information significantly aids threat actors in launching targeted brute-force or social engineering attacks, potentially leading to unauthorized account access, data leakage, or account takeover.
Impact:
Increases risk of brute-force and credential stuffing attacks.
Facilitates phishing campaigns by identifying valid user accounts.
Weakens overall authentication security posture.
Suggested Fix:
Standardize all authentication-related responses to be generic and indistinguishable regardless of user validity.
Implement rate limiting, account lockouts, or CAPTCHA challenges after multiple failed attempts.
Audit and secure all endpoints involved in user authentication and recovery workflows.
White Hat Note:
Our mission is to strengthen cybersecurity for everyone by responsibly reporting such vulnerabilities. We encourage you to notify us once this issue has been resolved, so we can perform a retest to confirm the fix. We look forward to recognizing your commitment to security with a bounty reward.
Vulnerability Report
Vulnerability Report
Hi Team,
I wanted to follow up on the vulnerability I submitted. I took care to follow responsible disclosure practices and ensure the report was clear and actionable.
If your team offers any form of reward or appreciation for valid reports, I’d be grateful to be considered. These gestures really encourage continued ethical research and collaboration.
Thanks again for your time.
Best Regards.
Stella Adam
I wanted to follow up on the vulnerability I submitted. I took care to follow responsible disclosure practices and ensure the report was clear and actionable.
If your team offers any form of reward or appreciation for valid reports, I’d be grateful to be considered. These gestures really encourage continued ethical research and collaboration.
Thanks again for your time.
Best Regards.
Vulnerability Report
Just following up on the report I shared recently. I'm glad to help improve your platform’s security and hope it proves useful.
If there’s a reward program or recognition path in place, I’d love to be considered — it goes a long way in supporting independent researchers like myself.
Looking forward to your response.
Best Regards
Stella Adam
Just following up on the report I shared recently. I'm glad to help improve your platform’s security and hope it proves useful.
If there’s a reward program or recognition path in place, I’d love to be considered — it goes a long way in supporting independent researchers like myself.
Looking forward to your response.
Best Regards
Stella Adam
I hope everything is going well on your end. I wanted to politely follow up regarding the vulnerability we reported earlier.
While our main goal is to help improve your security posture, we would also welcome a reward for the vuln, should you decide to grant one. We fully understand this is not an obligation and depends entirely on your room and discretion.
Your acknowledgment and appreciation mean a lot to us.
Best regards
Vulnerability Report
I hope everything is going well on your end. I wanted to politely follow up regarding the vulnerability we reported earlier.
While our main goal is to help improve your security posture, we would also welcome a reward for the vuln, should you decide to grant one. We fully understand this is not an obligation and depends entirely on your room and discretion.
Your acknowledgment and appreciation mean a lot to us.
Best regards