Brute force account discovery

Bug #1564758 reported by Thibaud Lopez Schneider on 2016-04-01
24
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Canonical SSO provider
Low
Maximiliano Bertacchini

Bug Description

Hello,

The following Launchpad pages are subject to brute force account discovery:

* login page, https://login.launchpad.net/+login
* password recovery page, https://login.launchpad.net/+forgot_password
* registration, https://login.launchpad.net/+new_account

They will tell if an email address is already registered or not without throttling, limit, or CAPTCHA. There should be.

Thank you,

--Thibaud

Related branches

affects: ubuntu-website → launchpad
information type: Private Security → Public
William Grant (wgrant) on 2016-04-01
affects: launchpad → canonical-identity-provider
Daniel Manrique (roadmr) on 2018-06-07
Changed in canonical-identity-provider:
status: New → Confirmed
Changed in canonical-identity-provider:
assignee: nobody → Maximiliano Bertacchini (maxiberta)
summary: - Launchpad brute force account discovery
+ Brute force account discovery
Changed in canonical-identity-provider:
importance: Undecided → Low
status: Confirmed → In Progress

Next rollout includes the following improvements:

- Significantly tighten the registration view throttling limit.
- Fix registration and forgot password views to show a nice "rate limit exceeded" error message.
- Show "Check your email" page on password forget view for non-registered emails, the same as with registered emails.

Changed in canonical-identity-provider:
status: In Progress → Fix Committed
Changed in canonical-identity-provider:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Bug attachments