Brute force account discovery
Bug #1564758 reported by
Thibaud Lopez Schneider
This bug affects 3 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical SSO provider |
Fix Released
|
Low
|
Maximiliano Bertacchini |
Bug Description
Hello,
The following Launchpad pages are subject to brute force account discovery:
* login page, https:/
* password recovery page, https:/
* registration, https:/
They will tell if an email address is already registered or not without throttling, limit, or CAPTCHA. There should be.
Thank you,
--Thibaud
Related branches
lp:~maxiberta/canonical-identity-provider/fix-429-crash
- Adam Collard (community): Approve
-
Diff: 78 lines (+26/-1)2 files modifiedsrc/webui/tests/test_views_registration.py (+16/-0)
src/webui/views/registration.py (+10/-1)
lp:~maxiberta/canonical-identity-provider/prevent-forgot-password-user-enumeration
- Tom Wardill (community): Approve
-
Diff: 284 lines (+59/-49)5 files modifiedsrc/api/v20/handlers.py (+3/-4)
src/api/v20/tests/test_handlers.py (+4/-3)
src/identityprovider/tests/openid_server/per_version/test_sso_workflow_reset_password.py (+2/-7)
src/webui/tests/test_loginservice.py (+24/-22)
src/webui/tests/test_views_registration.py (+26/-13)
lp:~maxiberta/canonical-identity-provider/registration-throttling
- Adam Collard (community): Approve
-
Diff: 77 lines (+14/-6)3 files modifieddjango_project/settings_base.py (+1/-0)
src/api/v20/handlers.py (+1/-1)
src/api/v20/tests/test_handlers.py (+12/-5)
affects: | launchpad → canonical-identity-provider |
Changed in canonical-identity-provider: | |
status: | New → Confirmed |
Changed in canonical-identity-provider: | |
assignee: | nobody → Maximiliano Bertacchini (maxiberta) |
summary: |
- Launchpad brute force account discovery + Brute force account discovery |
Changed in canonical-identity-provider: | |
importance: | Undecided → Low |
status: | Confirmed → In Progress |
Changed in canonical-identity-provider: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
This may help:
https:/ /www.owasp. org/index. php/Forgot_ Password_ Cheat_Sheet security. stackexchange. com/questions/ 98082/forgot- password- and-revealing- whether- account- exists
http://