When a user login, the application returns different results depending on whether the account is correct that allowed an attacker to determine if a given username was valid.
Your environment
EMQ X 3.x
Steps to reproduce
The problem lies in the "/api /v3/auth" interface
If you log in using an existing account and the Password is incorrect, "Password Error" is displayed.
and "Username Not Found" is displayed when you log in using a non-existent account.
The text was updated successfully, but these errors were encountered:
That version of EMQ X (3.x) is no longer supported. Fortunately, on the latest 4.3.11 (/api/v4/auth), that issue is now resolved. Not only you have to be already authenticated to use this API, but the return is the same for both non-existent users and wrong passwords:
Subject of the issue
When a user login, the application returns different results depending on whether the account is correct that allowed an attacker to determine if a given username was valid.
Your environment
EMQ X 3.x
Steps to reproduce
The problem lies in the "/api /v3/auth" interface
If you log in using an existing account and the Password is incorrect, "Password Error" is displayed.

and "Username Not Found" is displayed when you log in using a non-existent account.

The text was updated successfully, but these errors were encountered: