Skip to content

[v1.0.0b] - Time based user enumeration in the /api/auth/token endpoint  #1336

New issue
New issue
Closed
#1338
Closed
[v1.0.0b] - Time based user enumeration in the /api/auth/token endpoint #1336
#1338
Labels
security
Milestone
 
v1.0.0beta-3
@underfl0w

Description

@underfl0w
underfl0w
opened on Jun 2, 2022

First Check

  • This is not a feature request
  • I added a very descriptive title to this issue.
  • I used the GitHub search to find a similar issue and didn't find it.
  • I searched the Mealie documentation, with the integrated search.
  • I already read the docs and didn't find an answer.

What is the issue you are experiencing?

Time-based user enumeration

The login functionality of Mealie allows an unauthenticated user to enumerate existing accounts by timing the server's response time.

The average time it takes the API server to respond is significantly lower for non-existing users than existing users.

Pasted image 20220602164724

Impact

The impact on Mealie is low (3,7); there will only be a handful of users on any deployment of Mealie. I am assuming that the probability of finding valid usernames on a randomly exposed instance is low.

The attack complexity is high, and the impact on confidentiality is low.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N - Low 3,7
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

The vulnerability is related to CWE-203.

Fixes

Perform cryptographic operation

Is also possible to separate the logic of checking passwords and usernames inside the core/security/security.py into two different checks.

Then adding the verify_password function with some random invalid data to make sure that both checks will take a similar amount of time to complete

    if not user:
        verify_password("abc123cba321", "$2b$12$JdHtJOlkPFwyxdjdygEzPOtYmdQF5/R5tHxw5Tq8pxjubyLqdIX5i")
        return False
    
    if not verify_password(password, user.password):
        return False

Set minimum response time

A possible fix would be setting a minimal randomized time that is required before the auth function returns a response code. The time should be between the fastest and slowest time it takes to calculate and compare the password hash.

Pasted image 20220602164711

References

https://www.hacksplaining.com/prevention/user-enumeration
https://cwe.mitre.org/data/definitions/203.html
https://www.cvedetails.com/vulnerability-list/cweid-203/vulnerabilities.html

Deployment

Docker (Linux), Other

Deployment Details

No response

Metadata

Assignees

No one assigned

    Labels

    security

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions