Hitting ourselves with a Login Hammer

One of the joys of developing software is that moment where somebody manages to achieve something you think is impossible and then realise that you’re wrong and assumptions sink ships.

Take for example a project I was working on recently. It uses a well-known authentication library that includes a feature to lock out users after x number of failed attempts. In our case, this was set to 5.

Imagine then my surprise when an external audit allowed an attacker upwards of 20 attempts before they were locked out! <insert angry face emoji>

Step 1. Check configuration! All is good in the world

Step 2. Test in dev. Fail login 5 times. Works although there is an off by one error, the 6th login returns lockout message, not the 5th. To be solved later, focus!

Step 3. Write a script to do this quickly. Humans are slow. Check. Loop. same result. Sanity prevails.

on attempts 1–5 we know that the password was incorrect, but thereafter we are not given any information as the account is already locked and the system isn’t checking the password.

Step 4. Adjust script to run attacks (sorry attempts) in parallel. Nothing fancy, just background the jobs in Linux with trusty old &.

Um, I got to 25 attempts. Running locally is obviously a lot faster. Tried a few combinations and got up to 58 attempts before the locked-out response! The problem was a lot worse than what was reported.

Um… read the code (simplified for edification!)

Bug #1. We lockout and still return 401 instead of 400. The off by one error is solved!

Bug #2. We should increment via the database, not in the source code. This means that we will always be incrementing the latest value in a single atomic operation.

Let’s run it again…

Cha-ching! We have lift-off, while we actually checked 5 times before failing, the results show that we didn’t give them any information other than on attempt 5. The rest said locked and no indication that the password was correct or incorrect.

Related posts:

Il diritto del minore alla bi-genitorialità nei casi di separazione è uno dei temi al centro dell’attuale dibattito sociale e politico. Occorre però interrogarsi sul reale significato di questo…

Design teams are increasingly become more autonomous and self-organizing in their work. The value cast across a design team is now taking shape as role definitions become more attuned to the…

I keep Saturdays for vendor visits. You know, the journey of the train is less crowded. Fewer crowd means I can get inside the train with ease. And, find at least 200 sq cm of space to stand with an…