Problem/Motivation

This was reported to the security team but has been cleared for a public issue. I did not make the original report. Note that the original report was derived from an LLM scan.

Authentication providers (the report claimed this only applies to basic auth but I'm pretty sure it applies to all of them) return early if the username is invalid. This opens up the potential to enumerate usernames if the early return timing is consistent enough vs. when the password is actually checked.

Steps to reproduce

Whether or not the timings are predictable enough for this to be an enumeration vector would likely depend on specific websites, but it would be useful to profile a failed login attempt with a valid username vs. a failed login attempt with an invalid username to see if there is any significant timing difference and what percentage of the request. It may be that this is not actually reproducible in practice, although we could still mitigate something theoretically reproducible if we wanted to.

Proposed resolution

The suggestion in the s.d.o report was to hash a dummy hash, but I think a slightly randomized usleep() would be more appropriate.

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

Comments

catch created an issue. See original summary.

catch’s picture

catch
he/him
Primary language English
commented
Related issues: +#3316209: Leakage usernames (timing attack) from password reset form
catch’s picture

catch
he/him
Primary language English
commented
Issue summary: View changes