Comment 22 for bug 1688137
Revision history for this message
| Jeremy Stanley (fungi) wrote Re: PCI-DSS account lock out DoS and account UUID lookup oracle | #22 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
demo site
(Get the code!)
So just to summarize, this report covers three possible vulnerabilities related to the PCI-DSS account lock out feature:
1. If someone can guess a username they can prevent that user from authenticating by repeatedly attempting to log in with an incorrect credential.
2. Someone can identify valid usernames by trying to log in with candidate strings with invalid passwords until the lock out is reached, at which point the change in API response confirms the existence of that user.
3. The lock out response can be used as an oracle to determine the UUID matching any known or guessed username.