Canonical SSO provider

Brute force account discovery

Bug #1564758 reported by Thibaud Lopez Schneider on 2016-04-01
24
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Canonical SSO provider
Fix Released
Low
Maximiliano Bertacchini
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

Hello,

The following Launchpad pages are subject to brute force account discovery:

* login page, https://login.launchpad.net/+login
* password recovery page, https://login.launchpad.net/+forgot_password
* registration, https://login.launchpad.net/+new_account

They will tell if an email address is already registered or not without throttling, limit, or CAPTCHA. There should be.

Thank you,

--Thibaud

Related branches

lp:~maxiberta/canonical-identity-provider/fix-429-crash
Adam Collard (community): Approve on 2018-12-21
Diff: 78 lines (+26/-1)
2 files modified
src/webui/tests/test_views_registration.py (+16/-0)
src/webui/views/registration.py (+10/-1)
lp:~maxiberta/canonical-identity-provider/prevent-forgot-password-user-enumeration
Tom Wardill: Approve on 2019-01-14
Diff: 284 lines (+59/-49)
5 files modified
src/api/v20/handlers.py (+3/-4)
src/api/v20/tests/test_handlers.py (+4/-3)
src/identityprovider/tests/openid_server/per_version/test_sso_workflow_reset_password.py (+2/-7)
src/webui/tests/test_loginservice.py (+24/-22)
src/webui/tests/test_views_registration.py (+26/-13)
lp:~maxiberta/canonical-identity-provider/registration-throttling
Adam Collard (community): Approve on 2018-12-21
Diff: 77 lines (+14/-6)
3 files modified
django_project/settings_base.py (+1/-0)
src/api/v20/handlers.py (+1/-1)
src/api/v20/tests/test_handlers.py (+12/-5)
Thibaud Lopez Schneider (thibaud-lopez) wrote :
affects: ubuntu-website → launchpad
information type: Private Security → Public
Thibaud Lopez Schneider (thibaud-lopez) wrote :

This may help:

https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet
http://security.stackexchange.com/questions/98082/forgot-password-and-revealing-whether-account-exists

William Grant (wgrant) on 2016-04-01
affects: launchpad → canonical-identity-provider
Daniel Manrique (roadmr) on 2018-06-07
Changed in canonical-identity-provider:
status: New → Confirmed
Maximiliano Bertacchini (maxiberta) on 2018-12-18
Changed in canonical-identity-provider:
assignee: nobody → Maximiliano Bertacchini (maxiberta)
Maximiliano Bertacchini (maxiberta) on 2018-12-19
summary: - Launchpad brute force account discovery
+ Brute force account discovery
Maximiliano Bertacchini (maxiberta) on 2018-12-20
Changed in canonical-identity-provider:
importance: Undecided → Low
status: Confirmed → In Progress
Maximiliano Bertacchini (maxiberta) wrote :

Next rollout includes the following improvements:

- Significantly tighten the registration view throttling limit.
- Fix registration and forgot password views to show a nice "rate limit exceeded" error message.
- Show "Check your email" page on password forget view for non-registered emails, the same as with registered emails.

Changed in canonical-identity-provider:
status: In Progress → Fix Committed
Maximiliano Bertacchini (maxiberta) on 2019-01-16
Changed in canonical-identity-provider:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Bug attachments