Closed Bug 700445 Opened 14 years ago Closed 14 years ago

Case insensitive usernames place addons.mozilla.org under increased risk of bruteforce attack

Tracking

(Not tracked)

Status:

RESOLVED INVALID

People

(Reporter: mgoodwin, Unassigned)

References

(
URL
)

Details

(Whiteboard: [infrasec:bestpractice][ws:low][wh-6095218])

Mark Goodwin [:mgoodwin]

Reporter

Description

•

14 years ago

Issue The username is case-insensitive. A user can successfully authenticate even if the username is not properly cased. Allowing the username to be case-insensitive decreases the available keyspace for a username. The success of a brute force attack on the username is increased due to the decrease of available characters for a username. Steps to reproduce: Try logging in using a variety of case combinations in the username field Resolution: Require the application to use case-sensitive usernames Recommended remediation:

Wil Clouser [:clouserw]

Comment 1

•

14 years ago

AMO uses email addresses to log in...not sure where you are brute forcing the username. Since this is automatic from whitehat I'll call it invalid but reopen if I'm missing something.

Status: NEW → RESOLVED

Closed: 14 years ago

Resolution: --- → INVALID

Nobody; OK to take it and work on it

Assignee

Updated

•

10 years ago

Product: addons.mozilla.org → addons.mozilla.org Graveyard

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Case insensitive usernames place addons.mozilla.org under increased risk of bruteforce attack

Categories

(addons.mozilla.org Graveyard :: Developer Pages, defect)

Tracking

(Not tracked)

People

(Reporter: mgoodwin, Unassigned)

References

(
URL
)

Details

(Whiteboard: [infrasec:bestpractice][ws:low][wh-6095218])

Crash Data

Security

(public)

User Story

Description

Comment 1

Updated