18

I found an information leakage vulnerability on a company website and I found that the information includes all the usernames of the users.

I also observed that the application uses a lockout mechanism that locks out users after 5 attempts for 30 mins.

So will this lockout be considered a vulnerability?

Yes, account lockout is not a vulnerability but will the information leakage increase the severity of the problem or not?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Cloud Learner
  • 195
  • 1
  • 6

2 Answers2

33

I would consider this a serious vulnerability. This can lead to an attack where the attacker can lock out every single user for 30 minutes.

Unless the company have a VPN in place, or other protection mechanism, it would be possible to download the entire user list, throw bogus passwords at all of them, and lock the entire company out.

They can even keep this in a loop and essentially deny access to all employees for a long period of time.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
  • 36
    People, who say that "Availability" is not a goal of security, have never been locked out of a system they *really* need right now. –  Nov 10 '21 at 20:20
  • 4
    I (and everyone else) got locked out of a system because the External Security Manager died, and nobody could get online to restart it. – ThoriumBR Nov 10 '21 at 21:10
  • 6
    Locking out people who could manually interfere with or mitigate a complicated/prolonged attack could also make such an attack more effective, or succeed in the first place... – rackandboneman Nov 11 '21 at 03:37
  • One of the system I use in my company sends a mail when this happens, and he mail contains an unlock links that only the person opening the link can login with that account – Ferrybig Nov 11 '21 at 15:03
  • @Ferrybig: Don't deploy that for VPN login. That's a disaster waiting to happen. – Joshua Nov 11 '21 at 15:48
  • 8
    As an anecdotal addendum, DoS attacks like this were relatively common in PC gaming circles in the early 2000's. Popular services allowed others to add people to their friends lists using their usernames before most introduced the idea of a display name (which could be changed and differ from a login name). Once someone knew another's username, you could "ice" their account with a simple script that threw a sufficient amount of garbage passwords at their authentication layer and lock the target out of their accounts for a period of time. – esqew Nov 11 '21 at 16:20
6

I would look at it the other way around:

Does knowing the list of users increase the severity of an attackable account lockout mechanism?

Usernames are generally not random but based on people's names, so even without specific knowledge you can enumerate likely usernames (based on a dictionary of common names) and rapidly submit them to trigger lockouts on any that are valid.

A lockout system can and should protect against such attacks, for instance by locking out or rate limiting requests from a single IP address regardless of the username attempted. This only needs to slow the attacker down enough to make enumerating impractical.

Knowing the list of usernames reduces the size of dictionary which you need to enumerate. That might be enough of a boost to make the attack practical, but it depends on how many users you need to target, and what measures the system has in place to slow you down.

Knowing the usernames might also aid you in targeting high-value accounts without triggering other protections, but those usernames could probably also be guessed from public information about key staff members, so again it's a small boost not a radical change in attack.

IMSoP
  • 3,780
  • 1
  • 15
  • 19
  • 1
    Locking an user depending on the IP won't help: the attacker just switches to another IP. There are lots of open proxies around. – ThoriumBR Nov 11 '21 at 11:49
  • 1
    @ThoriumBR I've rewritten my answer. My main point is that the list of usernames doesn't _enable_ this attack, it only _improves its chances_. If the lockout system is poorly designed, the attack would be possible anyway; if it's well designed, it might still be impractical. – IMSoP Nov 11 '21 at 12:15
  • 1
    @ThoriumBR if its a business use case, block all allow yours/employees. If it's for a public facing service... yeah, good luck lol. Although, I've previously had luck blocking all non-US traffic, obviously there are proxies and easy ways to ddos and more from US IPs, just saying, when I've had to deal with brute force attempts from Russia, blocking IPs by geography nipped it in the bud. – TCooper Nov 11 '21 at 23:12