Security: User enumeration when authenticationProtectionConfiguration is active

By: Alexandre Zia Account Admin 14 Nov 2021 at 8:40 a.m. CST

13 Responses
Alexandre Zia gravatar
It is possible for an attacker to enumerate existing user accounts when authenticationProtectionConfiguration is enabled in oxAuth. When authenticationProtectionConfiguration is enabled, oxauth adds a delay in login attempts after a configurable number of retries. However, this delay only triggers if the attempted account exists, if the attempted account does not exists the delay never triggers. Thus an attacker is able to determine if the account exists by observing the occurence of this delay on login attempts. This is a top priority for us, can you please implement the same delay when the attempted account does not exists? Regards
Gluu 4.3 Kubernetes 1.18
closed

Answers

By Mohib Zico staff 14 Nov 2021 at 1:39 p.m. CST

Copy
Mohib Zico gravatar
Hi Zia, Please allow me to dig a bit and will get back to you soon. Thanks!

By Mohib Zico staff 17 Nov 2021 at 7:31 a.m. CST

Copy
Mohib Zico gravatar
Hello Zia, Can you please log into `https://files.gluu.org` one time? I am going to share a recording with you there.

By Alexandre Zia Account Admin 18 Nov 2021 at 1:25 p.m. CST

Copy
Alexandre Zia gravatar
I tried, but did not succeeded,

By Mohib Zico staff 18 Nov 2021 at 7:34 p.m. CST

Copy
Mohib Zico gravatar
Sorry, you can't login into files.gluu.org?

By Alexandre Zia Account Admin 19 Nov 2021 at 6:49 a.m. CST

Copy
Alexandre Zia gravatar
yes, I can't login tried local user, tried SSO,

By Mohib Zico staff 19 Nov 2021 at 7:19 a.m. CST

Copy
Mohib Zico gravatar
Hi Zia, >> yes, I can't login tried local user, tried SSO, Strange indeed. I'll check what's happening. BTW, I am sharing that screencast in youtube. I tried to test your scenario. Am I missing anything? Here it is: https://www.youtube.com/watch?v=umI1HgF_Ock&ab_channel=MohibZico

By Alexandre Zia Account Admin 19 Nov 2021 at 7:39 a.m. CST

Copy
Alexandre Zia gravatar
I saw your video, thanks, and I've noticed the delay is happening for you, for non existing accounts, However in my installation that does not occurs. I've also noticed some differences: - You're using 4.2 and I'm using 4.3 - I'm using Casa and you are not

By Mohib Zico staff 19 Nov 2021 at 9:57 a.m. CST

Copy
Mohib Zico gravatar
Thanks Zia. I tested in 4.3, seems like it's working as well. https://www.youtube.com/watch?v=CaptfHz6_oI&ab_channel=MohibZico There is one last difference between your setup and mine one. I am using CE, you are k8s.

By Alexandre Zia Account Admin 19 Nov 2021 at 10:27 a.m. CST

Copy
Alexandre Zia gravatar
I've just remembered another diference, I have changed the login username to require `mail` instead of default `uid` see attached screenshot in oxTrust -> Configuration -> Manage Authentication Primary Key and Local primary key
Screen_Shot_2021-11-19_at_13.26.18.png

By Mohib Zico staff 05 Dec 2021 at 11:33 p.m. CST

Copy
Mohib Zico gravatar
Hi Zia, I found an issue with EmailAddress, opened a github [issue](https://github.com/GluuFederation/oxAuth/issues/1600).

By Mohib Zico staff 19 Dec 2021 at 3:10 a.m. CST

Copy
Mohib Zico gravatar
**Status** Github issue still in active mode....

By Mohib Zico staff 10 Jan 2022 at 1:11 a.m. CST

Copy
Mohib Zico gravatar
I shared a test environment for developer to test and move forward but found one interesting thing with 4.3.1... Hi Zia, It's looking "okay" to me in 4.3.1. What do you think? https://files.gluu.org/index.php/s/wNoJqb3bzr662wq

By Mohib Zico staff 26 Jan 2022 at 7:12 a.m. CST

Copy
Mohib Zico gravatar
Hi Zia, I am closing this ticket for now. Please reopen if required. Kind regards, Zico

Post an answer