Weakness reference
CWE-289

Authentication Bypass by Alternate Name

This weakness occurs when an application authenticates users based on a name or identifier, but fails to account for alternate forms of that same name—such as…

01Summary

This weakness occurs when an application authenticates users based on a name or identifier, but fails to account for alternate forms of that same name—such as different cases, aliases, or equivalent representations. An attacker can exploit this by using a variant of a legitimate username to bypass authentication checks or access restricted resources intended for a different user.

02How It Happens

Authentication systems often compare usernames or identifiers directly without normalizing them first. If the comparison is case-sensitive when it shouldn't be, or if the system doesn't recognize that two different strings refer to the same entity (e.g., an email alias, a filesystem path with different separators, or a domain name in different cases), an attacker can craft an alternate form of a privileged username to slip past access controls. The root cause is usually a mismatch between how the authentication layer validates a name and how the underlying system (database, filesystem, or service) resolves or interprets that name.

03Real-World Impact

Successful exploitation can lead to unauthorized access to admin accounts, privilege escalation, or account takeover. For example, if an admin account is named Administrator but the system doesn't normalize case, an attacker might log in as administrator and bypass intended restrictions. In systems with email-based authentication, alternate email formats (e.g., user+tag@example.com vs. user@example.com) might be treated as different users by the auth layer but resolve to the same mailbox, allowing an attacker to register a second account tied to the same email and gain elevated privileges.

04Vulnerable & Fixed Patterns

Vulnerable pattern
import sqlite3

def authenticate_user(username, password):
    conn = sqlite3.connect('users.db')
    cursor = conn.cursor()
    
    # Vulnerable: case-sensitive comparison
    cursor.execute("SELECT password_hash FROM users WHERE username = ?", (username,))
    row = cursor.fetchone()
    
    if row and verify_password(password, row[0]):
        return True
    return False

def is_admin(username):
    # Vulnerable: assumes username is already normalized
    return username == "Administrator"

Why it's vulnerable:
The authenticate_user function performs a case-sensitive lookup, so administrator, ADMINISTRATOR, and Administrator are treated as different users. The is_admin check is also case-sensitive, allowing an attacker to register or log in as a variant of the admin name and potentially bypass role checks.

Fixed pattern
import sqlite3

def authenticate_user(username, password):
    conn = sqlite3.connect('users.db')
    cursor = conn.cursor()
    
    # Fixed: normalize username to lowercase before lookup
    normalized_username = username.lower().strip()
    cursor.execute("SELECT password_hash FROM users WHERE LOWER(username) = ?", 
                   (normalized_username,))
    row = cursor.fetchone()
    
    if row and verify_password(password, row[0]):
        return True
    return False

def is_admin(username):
    # Fixed: normalize before comparison
    normalized_username = username.lower().strip()
    return normalized_username == "administrator"
Vulnerable pattern
<?php
function authenticate_user($username, $password) {
    global $wpdb;
    
    // Vulnerable: case-sensitive query
    $user = $wpdb->get_row(
        $wpdb->prepare("SELECT user_pass FROM wp_users WHERE user_login = %s", $username)
    );
    
    if ($user && wp_check_password($password, $user->user_pass)) {
        return true;
    }
    return false;
}

function is_admin($username) {
    // Vulnerable: case-sensitive check
    return $username === "admin";
}
?>

Why it's vulnerable:
The database query is case-sensitive, so Admin, ADMIN, and admin are treated as separate users. An attacker could register or exploit a case variant to bypass role checks or access controls.

Fixed pattern
<?php
function authenticate_user($username, $password) {
    global $wpdb;
    
    // Fixed: normalize username and use case-insensitive comparison
    $normalized_username = strtolower(trim($username));
    $user = $wpdb->get_row(
        $wpdb->prepare("SELECT user_pass FROM wp_users WHERE LOWER(user_login) = %s", 
                       $normalized_username)
    );
    
    if ($user && wp_check_password($password, $user->user_pass)) {
        return true;
    }
    return false;
}

function is_admin($username) {
    // Fixed: normalize before comparison
    $normalized_username = strtolower(trim($username));
    return $normalized_username === "admin";
}
?>

05Prevention Checklist

Normalize all identifiers
before authentication and authorization checks: convert to lowercase, trim whitespace, and resolve aliases or equivalent forms in your system.
Use case-insensitive database queries
for username/email lookups, or normalize at the application layer before every comparison.
Document all alternate forms
of critical identifiers (e.g., admin accounts, service accounts) and ensure they are treated as equivalent throughout the codebase.
Test authentication with case variants
and known aliases during security testing to catch normalization gaps.
Apply the same normalization consistently
across login, permission checks, and audit logging so that the same user is always identified the same way.
Be aware of platform-specific aliasing
(e.g., Windows filesystem case-insensitivity, email address variations) and normalize accordingly for your environment.

06Signs You May Already Be Affected

Check your authentication logs for successful logins using unexpected case variants or aliases of known usernames. Review your user database for duplicate or near-duplicate accounts that may have been created by exploiting case sensitivity. If you notice admin or privileged actions attributed to usernames that differ only in case from legitimate accounts, investigate whether an alternate-name bypass has occurred.

07Related Recent Vulnerabilities