I just used my ssh bash access to my godaddy shared server. Upon inspection to ls -l of upper directory, it exposed all the shared user's username.<p>Please tell me I'm wrong.
Many sites rate usernames as public information, with SSH keys and passwords being private. Getting a list of users is not typically considered a security issue. If you chose (or were forced to choose) a username the was based on your real name, that could be a privacy issue (as well as a namespace collision problem), but not really a security issue.
Why don't you tell Godaddy about it, instead of posting here? At least write to the forum and ask the support guys if they know about this issue:<p><a href="http://support.godaddy.com/groups/web-hosting/forum/" rel="nofollow">http://support.godaddy.com/groups/web-hosting/forum/</a>
Even if it does, a username alone isn't a security breach. You would think they'd use ssh chroots or something, but there are no security issues with seeing a username
Nothing new and in fact it's an extremely common hack to do a recursive find over the upper directory to see if there are any directories with the global write bit set, then drop a php file to get access to their file system. In general, you should never put anything on a shared server that you don't want to world to see.
You are absolutely correct. You can also type `who` for a list of users who are currently logged in. You can even `cat /etc/passwd` for uids and home directories. That's how UNIX security works (not via obscurity). If your password's not strong enough to resist a bruteforce, change it and/or get a VPS (which, incidentally, commonly get pwned by Chinese botnets if you insist on using a weak password and don't switch to pubkey-only auth).
Adding to the other comments, I've encountered similar on shared hosts. The first time, when I encountered something similar through a PHP program, I reached out; I did get a response from support (who were responsive and did on their own escalate to a higher level), along the lines of, "We know. It's not ideal, but it's the best we can do within the current systems design."
Usually all you need to do is read /etc/passwd to get all the usernames on the system. Without access to /etc/passwd, commands like ls would be able to resolve UID -> username.
If you know how to do this, why don't you use pay $5/mo to DigitalOcean and get your own VPS... Shared hosting just implies that you are not really serious about security