- Affected version
- 2.3.0 / xenforo.com
Since the user handle is not considered personally identifying information in § 14.4.2 Privacy of personally identifying information Stored in Authenticators, the Relying Party MUST NOT include personally identifying information, e.g., e-mail addresses or usernames, in the user handle. This includes hash values of personally identifying information, unless the hash function is salted with salt values private to the Relying Party, since hashing does not prevent probing for guessable input values. It is RECOMMENDED to let the user handle be 64 random bytes, and store this value in the user’s account.
XenForo uses the user ID as user handle, this is neither the recommended approach (eg. 64 random bytes stored in the user account) nor does it comply with the requirement of not including personally identifying information:
The standard explicitly states that usernames must not be included in the user handle.
If the username is not allowed to be used in the user handle according to the standard (because it is considered personally identifiying information), the user ID also must not be allowed as it is trivial to retrieve the username by user id.
Suggested Fix
Use the recommended approach
Last edited: