forgot password page is not rate limiting, allowing to extract usernames by brute force
Bug #1422940 reported by
Manuel Seelaus
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Canonical SSO provider |
Fix Released
|
High
|
Natalia Bidart | ||
Bug Description
Dear sirs,
I would like to introduce myself. I do bug inspections for the top websites
globally and I am hoping to get cooperation. I want to report a security
vulnerability. The issue exists in the following domain :
The bug specifically exists in the forgot my password form :
https:/
The attacker can generate a big lists of emails and brute force the forma to
extract most of Ubuntu users emails. I made a successfull scenario with a
generated mail list with more than 2000 http request without any limitation or
any kind of blocking from the server. Please let me know if you need more
information. Thanks.
Best regards,
Eslam Medhat
Related branches
lp:~nataliabidart/canonical-identity-provider/throttle-by-ip
- Martin Albisetti (community): Approve
-
Diff: 273 lines (+54/-63)4 files modifiedMakefile (+1/-2)
src/api/v20/handlers.py (+10/-9)
src/api/v20/tests/test_handlers.py (+42/-51)
src/api/v20/tests/test_login.py (+1/-1)
| Changed in canonical-identity-provider: | |
| status: | New → Confirmed |
| importance: | Undecided → High |
| Changed in canonical-identity-provider: | |
| assignee: | nobody → Natalia Bidart (nataliabidart) |
| Changed in canonical-identity-provider: | |
| status: | Confirmed → In Progress |
| Changed in canonical-identity-provider: | |
| status: | In Progress → Fix Committed |
| Changed in canonical-identity-provider: | |
| status: | Fix Committed → Fix Released |
To post a comment you must log in.
