New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issue E. Parallel Requests Bypass Exponentially Increasing Login Delay #825

fpietrosanti opened this Issue Mar 3, 2014 · 2 comments


None yet
2 participants
Copy link

fpietrosanti commented Mar 3, 2014

Reported: 2014-01-30

Synopsis: GlobaLeaks implements an exponentially-increasing delay when a login fails. An attacker can get around this by sending requests in parallel.

Impact: An attacker can perform online login guessing attacks faster than expected.

Attack Resources: To perform this attack, the attacker must be able to establish multiple connections to
the GlobaLeaks web server in parallel.

Feasibility: This issue can be exploited by simply making requests in parallel rather than in series.
Verification: Verified by source code inspection and testing with the script provided in Appendix C. Script for Issue E. When requests are made sequentially, they are held up. When made in parallel, they aren't.

Vulnerability Description:
The login delay is implemented in security_sleep() in globaleaks/handlers/ It is done by calling callLater(), which will freeze the current connection, but will not prevent the attacker from opening a new one.
The current defence only becomes effective when the attacker has exhausted all of the concurrent connections that the GlobaLeaks can accept, and GlobaLeaks cannot accept any more concurrent connections, i.e. it is effectively under denial of service.

To mitigate this issue, GlobaLeaks Node administrators should monitor the rate of login requests to detect an attack and respond by either shutting down the server or using a firewall to to rate limit the attacker. To monitor the number of concurrent connections, the netstat -ptan command can be used.

It is difficult to find a long-term solution to this problem, since all of the obvious solutions make GlobaLeaks more vulnerable to denial of service attacks. A possible solution might involve requiring the client to solve a computationally- and memory-hard proof of work challenge for each authentication request. We leave this for future work.

Status: Confirmed.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

@fpietrosanti fpietrosanti added this to the LeastAuthorityPentest milestone Mar 3, 2014

@fpietrosanti fpietrosanti changed the title Issue E. Confidential Issue E. Parallel Requests Bypass Exponentially Increasing Login Delay Apr 12, 2014


This comment has been minimized.

Copy link

fpietrosanti commented Apr 12, 2014

@vecna vecna self-assigned this Feb 28, 2015


This comment has been minimized.

Copy link

vecna commented May 5, 2015

Proposal: apply token also to the login, therefore, if too many attempt are triggered, protections [1] came in place.

[1], delay, hashcash, captcha(s)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment