Problem/Motivation
User password reset URLs can be used to enumerate usernames.
For example [site_url}/user/reset/[user_id]/1/1
For Drupal 7 or Drupal 8, if you're logged in and visit a URL like the above it happens via this message:
Another user (%other_user) is already logged into the site on this computer, but you tried to use a one-time link for user %resetting_user.
For Drupal 8 only, if you're logged out and visit a URL like the above, you get a "Reset password" form with the following content (which includes the username):
This is a one-time login for %user_name and will expire on %expiration_date.
Click on this button to log in to the site and change your password.
When you submit the form it tells you then that the link is invalid. But it never should have shown the form in the first place.
I am reporting this issue because a customer(bank) pointed out it was a leakage of customer information in their scenario. It is currently possible (v7.51 + v8.19) to get the username of user in the system by requesting a password reset for that UID with a random timestamp and hash.
I reported this issue to the security team already and they concluded the following :
I believe this issue can be fixed in public without a security advisory because of our policy on username disclosure: https://www.drupal.org/node/1004778