Canonical SSO provider

Brute force account discovery

Bug #1564758 reported by Thibaud Lopez Schneider
24
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Canonical SSO provider
Fix Released
Low
Maximiliano Bertacchini

Bug Description

Hello,

The following Launchpad pages are subject to brute force account discovery:

* login page, https://login.launchpad.net/+login
* password recovery page, https://login.launchpad.net/+forgot_password
* registration, https://login.launchpad.net/+new_account

They will tell if an email address is already registered or not without throttling, limit, or CAPTCHA. There should be.

Thank you,

--Thibaud

Related branches

lp:~maxiberta/canonical-identity-provider/fix-429-crash
Adam Collard (community): Approve
Diff: 78 lines (+26/-1)
2 files modified
src/webui/tests/test_views_registration.py (+16/-0)
src/webui/views/registration.py (+10/-1)
lp:~maxiberta/canonical-identity-provider/prevent-forgot-password-user-enumeration
Tom Wardill (community): Approve
Diff: 284 lines (+59/-49)
5 files modified
src/api/v20/handlers.py (+3/-4)
src/api/v20/tests/test_handlers.py (+4/-3)
src/identityprovider/tests/openid_server/per_version/test_sso_workflow_reset_password.py (+2/-7)
src/webui/tests/test_loginservice.py (+24/-22)
src/webui/tests/test_views_registration.py (+26/-13)
lp:~maxiberta/canonical-identity-provider/registration-throttling
Adam Collard (community): Approve
Diff: 77 lines (+14/-6)
3 files modified
django_project/settings_base.py (+1/-0)
src/api/v20/handlers.py (+1/-1)
src/api/v20/tests/test_handlers.py (+12/-5)
Revision history for this message
Thibaud Lopez Schneider (thibaud-lopez) wrote :
affects: ubuntu-website → launchpad
information type: Private Security → Public
Revision history for this message
Thibaud Lopez Schneider (thibaud-lopez) wrote :

This may help:

https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet
http://security.stackexchange.com/questions/98082/forgot-password-and-revealing-whether-account-exists

William Grant (wgrant)
affects: launchpad → canonical-identity-provider
Daniel Manrique (roadmr)
Changed in canonical-identity-provider:
status: New → Confirmed
Maximiliano Bertacchini (maxiberta)
Changed in canonical-identity-provider:
assignee: nobody → Maximiliano Bertacchini (maxiberta)
Maximiliano Bertacchini (maxiberta)
summary: - Launchpad brute force account discovery
+ Brute force account discovery
Maximiliano Bertacchini (maxiberta)
Changed in canonical-identity-provider:
importance: Undecided → Low
status: Confirmed → In Progress
Revision history for this message
Maximiliano Bertacchini (maxiberta) wrote :

Next rollout includes the following improvements:

- Significantly tighten the registration view throttling limit.
- Fix registration and forgot password views to show a nice "rate limit exceeded" error message.
- Show "Check your email" page on password forget view for non-registered emails, the same as with registered emails.

Changed in canonical-identity-provider:
status: In Progress → Fix Committed
Maximiliano Bertacchini (maxiberta)
Changed in canonical-identity-provider:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.