Closed Bug 1743789 Opened 3 years ago Closed 3 years ago

Account locking should limit based on user id alone and not on IP which is easy to rotate

Categories

(bugzilla.mozilla.org :: General, enhancement)

enhancement

Tracking

()

RESOLVED FIXED

People

(Reporter: enderwiggin1042, Assigned: dkl)

References

()

Details

(Keywords: reporter-external, sec-moderate, wsec-bruteforce, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Attachments

(2 files)

Description
A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works.

I found out that there is a rate-limiting in place after 5 failed attempts. Now that's good, but the problem is that the rate-limiting is based on IP. It may look like a minor issue but such vulnerabilities may lead to a full account takeover.
For this attack to work the attacker has to change only his IP on every request or after rater-limiting. There are many services on the internet which let an attacker do this and on a cheap cost such as AWS.

STEPS TO REPRODUCE:
Go to https://bugzilla.mozilla.org/user_profile
Enter the victim's email and random password.
Intercept the request using Burp Suite.
Send it to Intruder and use wordlist on password parameter.
You will see that you will get rate-limited after 5 requests.
Change your IP.
You will see that the rate limit is not in place anymore.

PoC:
I'm using Burp Suite with AWS Gateway (lets me change my IP on every request).
PoC is attached

Impact:
Full Account Takeover

Remediation:
Add Captcha
Add Account Lockout after certain failed attempts.

Attached file PoC

PoC of the bug

Group: websites-security → bugzilla-security
Type: task → enhancement
Component: Other → General
Product: Websites → bugzilla.mozilla.org

Thank you for the report. This indeed is an issue that we will need to address. The current behavior is we lock out the account after 5 failed attempts but it is based on a single IP address failing 5 times. We will need to change to fail for any IP address for a specific user account after 5 times. I feel this is a legitimate inconvenience for the actual user. The error page will continue to show the list of IP addresses that were used for the failed login attempts. I will work on this today.

Assignee: nobody → dkl
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Flags: sec-bounty?
Attached patch 1743789_1.patchSplinter Review
Attachment #9264494 - Flags: review?(glob)

Have you applied this patch or this is just for review?

Comment on attachment 9264494 [details] [diff] [review] 1743789_1.patch Review of attachment 9264494 [details] [diff] [review]: ----------------------------------------------------------------- r=glob lgtm
Attachment #9264494 - Flags: review?(glob) → review+

(In reply to Ender from comment #4)

Have you applied this patch or this is just for review?

It is just for review at the moment. Once merged, we start a process of rolling out the change to our production cluster. I will then be able to have you try the exploit again to see if it is properly fixed.

Summary: Account Takeover (Brute-Force on login page) → Account locking should limit based on user id alone and not on IP which is easy rotate
Summary: Account locking should limit based on user id alone and not on IP which is easy rotate → Account locking should limit based on user id alone and not on IP which is easy to rotate

Merged to master.
https://github.com/mozilla-bteam/bmo/commit/37717636c108b6c50d19f4a6ac9e01248977acc7

Closing bug due to code commit but bug will still be reviewed due to sec-bounty? flag being set.

Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Group: bugzilla-security

Thanks David for the quick fix, much appreciated. I re-added the security group to keep the report closed until we verify the fix and discuss the bounty.

Thanks,
Frida

I need the bug to be public for the deployment process to work. The fix is already committed to a public github repo so the we are committed to deployment.

Group: bugzilla-security

This is now live on production bugzilla.mozilla.org. Can you please try your poc again to verify fixed?

Flags: needinfo?(enderwiggin1042)

It's fixed now, but I would like to add that you should reset the counter to 0 when the user is successfully login after 4 attempts. It's not that important, but sometimes it can annoy the user.

Flags: needinfo?(enderwiggin1042)

(In reply to Ender from comment #11)

It's fixed now, but I would like to add that you should reset the counter to 0 when the user is successfully login after 4 attempts. It's not that important, but sometimes it can annoy the user.

Thanks for the feedback. I will make note of it. Also hopefully security team will weigh in soon regards to sec-bounty.

Unfortunately our bounty program excludes "Denial-of-service attacks or issues related to rate limiting"
https://www.mozilla.org/en-US/security/web-bug-bounty/

Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: