Server: Username validation is possible via bruteforce

Created on 29 Aug 2017 · 4Comments · Source: nextcloud/server

Steps to reproduce

Try logging in with a username and password
Get the reset password error
The error on invalid usernames says: "Could not send reset mail. Please make sure your username is correct"

Expected behaviour

The error message in this case should not hint on a wrong user name. It could rather say: "Reset e-mail sent. If you have not received it within 10 minutes, contact your administrator".

Rationale

This is to make it unclear if a username exists or not. If an attacker does not know if a username is correct, various bruteforce attacks are much harder to achieve. It is also fairly trivial to mount an HTTP attack against a web server to try various usernames. It doesn't even have to run fast, one attempt every 5 minutes is often enough to hide what's going on. On a busy server, you probably will not notice anything at all. And it will take roughly 17-18 days to check a list of 5000 usernames with 5 minutes in between each check.

0. Needs triage bug security

Source

dsommers

👍3

Most helpful comment

Additionally the nextcloud prints the message "Incorrect password" if you have entered the correct username but a wrong password. Which gives an attacker the hint that this user exists.
See here for more information about how to implement authentication properly.
Furthermore I would label this with security not bug.