3

I have a single account for a very popular website. I noticed that certain variations of my set password will successfully log me in. I have tested the variations on 3 separate browsers and all have the same behavior.

  1. Is this a security flaw?
  2. If so, what should I do with this information?

This is not a hypothetical question. I intentionally did not describe which variations successfully log in because it is a well-known website that many people use.

thechimp
  • 133
  • 6
  • Possible duplicate of [How to handle security issues of someone else's website](https://security.stackexchange.com/questions/4780/how-to-handle-security-issues-of-someone-elses-website) –  Mar 10 '18 at 19:57
  • Could you elaborate on what you mean by "variations"? If your password would be "password1234", would "1234password" log you in as well? – Tom K. Mar 10 '18 at 20:06
  • I don't want to get too specific but if string1 is my password, then string2 which is similar to my password but not the same will also log me in. There appears to be more than one string2 for a given string1. – thechimp Mar 10 '18 at 21:13
  • I'd be happy to elaborate on the variations after the site informs me they have patched it. Would it be ethical to disclose the identity of the site as well? – thechimp Mar 10 '18 at 21:14
  • 1
    I don't see a problem with explaining the differences between the strings, but do NOT disclose who the website is without giving them a chance to correct. – schroeder Mar 10 '18 at 21:30
  • 2
    Let me guess though: 1) string1 is a substring of string2, or 2) certain special characters are ignored – schroeder Mar 10 '18 at 21:31
  • @thechimp It would be ethical to disclose the identity of the site as long as you have also disclosed the issue to the site administrators. While this is likely a security issue (depending on exactly what kind of variations are accepted), the simple knowledge of this fact does not make any attacks substantially easier. It is more likely that the implications are that they store it in plaintext, in which case the site belongs on [Plain Text Offenders](http://plaintextoffenders.com/). – forest Mar 11 '18 at 07:00
  • Some (old) password hashing schemes (DES, some windows ones) were using only the first 8 characters whatsoever. So any variation that changes characters 9 and later will create the same authentication results. – Patrick Mevzek Mar 11 '18 at 14:16
  • Do they serve a [security.txt](https://securitytxt.org/) file? – jrtapsell Mar 13 '18 at 13:21
  • Here are the variations: If "string1" is the password, "\*string1" and "string1\*" will log you in where * is any one character. So @schroeder you guessed correctly – thechimp Mar 16 '18 at 06:04
  • @thechimp not uncommon. Can you do `string1**` or `string1***`? If so, then they probably cut off the string at a certain number of characters. 12 is popular. – schroeder Mar 16 '18 at 08:20

3 Answers3

1

Is this a security flaw? Yes!

If so, what should I do with this information?

Contacting their IT department is a good idea. You want to give them time to patch the vulnerability (two weeks is the standard). If the IT department does not respond or fix the issue, then reach out to other people at the company; e.g., upper management. Reaching them by phone is probably the most efficient option, but I'd personally go the electronic route because documentation is important when it comes to such matters.

If, after all of this, still no action has been taken by them to fix this, you have the option of going public. This document should explain that you've tried to reach out to the company but your attempts went unnoticed. Some see going public as a social and ethical responsibility, but you should only do this as your last step. You'll want to contact them privately at first for reasons stated.

Here is some additional documentation that you should read before proceeding:

1

Based on your information one cannot say for sure if this is a security problem or not. The answer instead depends on the exact kind of variations possible but you don't provide this information.

For example if a site is stripping white space from your password, if it ignores case of the letters or if it shortens the password it might still be considered secure enough as long as this transformation does not simplify the password down to a security level which would make attacks like brute-forcing practically feasible.

If instead the site for example only compares as much characters as you've entered as in the recent vulnerability in Intel AMT authentication or in this bug in windows file sharing from 2000 then it would definitely be a problem.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
1

Is this a security flaw?

It's hard to say!

It could be an intentional move on the part of a company to improve user experience for logging in. I know Facebook do this for the sake of user experience, which has been asked about before in a different way.

There a few articles out there about Facebook doing this, but I haven't managed to find anything from Facebook themselves. The only thing I did manage to find was this article which mentions asking a Facebook engineer about it.

This is quite hard to pull off securely, because any acceptance of passwords that aren't your actual password is almost guaranteed to be at the detriment of security, as discussed here.

If so, what should I do with this information?

If you can't find any information online about the company doing this sort of thing (though from your emphasis on the size of the company I feel like it could be Facebook?), I recommend reaching out to them. If they're sizeable chances are they've been asked this before, and should be able to answer you relatively easily. Some companies have published security team mailboxes that you should be able to send this question to.

The answer by @orbuculum has some good resources for how to handle the "what should I do" side of this. It's a tricky area because both extremes (i.e. overreacting and punishing the reporter vs. underreacting and ignoring your communications) appear at least from online reports to be fairly common in companies. If the company is as big and popular as you say, there should be less of a concern about this.


N.B: While I was down the rabbit hole I also came across Locality-sensitive hashing which discusses methods of doing this within the hash function itself.

JonRB
  • 393
  • 1
  • 6