Last updated February 27, 2012. Created by greggles on December 21, 2010.
Edited by scor, Andrew Schulman, Josh The Geek. Log in to edit this page.
The Drupal Security Team does not consider it a vulnerability that there are ways to determine a registered members username and/or user id value (i.e. the numeric uid).
Justification for considering username/uid to be sensitive information
This information may be useful to help an attacker gain access to a site. Once an attacker knows the username they have half of the information necessary to break into a site. Many security researchers and experts consider it to be a security weakness for a system to disclose the usernames available on a site.
Drupal's philosophy
Usernames are an important part of online identity. Having a public username helps other users of a site to know the identity of the person they are interacting with in a forum or a blog. Drupal is primarily intended to be used for sites where identity and interaction are key elements so it is reasonable for that information to be public.
Potential mitigation
Administrators of sites that are concerned about this form of attack should look to increase the strength of their login process. For example, use the Yubikey or Swekey or similar modules. It is also possible to obfuscate the name used for login by displaying the real name of users with the RealName module and reduce the likelihood of username enumeration with the username enumeration prevention module.
Those interested in making usernames a more private piece of information should work on #849602: hide usernames from users without the "access user profiles" permission.