Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#31505 closed Cleanup/optimization (fixed)

Document possible email address enumeration in PasswordResetView.

Reported by: Mohammad Almazroa Owned by: Mariusz Felisiak
Component: Documentation Version: 3.0
Severity: Normal Keywords: User Enumeration Security Bug
Cc: Florian Apolloner Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Hello :)

Description:
While implementing the password reset functionality using:

from django.contrib.auth.views import PasswordResetView, PasswordResetDoneView, PasswordResetConfirmView, PasswordResetCompleteView

It was noticed that an attacker will be able to enumerate registered users emails by the response time of the application. long response time means the email exists, quick response time means it does not exist.

Impact:
This will allow attacker to collect list of users emails, which can help in further attacks. Knowing list of emails can start "Password spraying" attack.

Remediation:

Set up a random sleep time when the email does not exists. The response time of correct and incorrect email should be the same.

Screenshot:
https://i.imgur.com/Sgk3q3T.png

Notice that the email "mmalmazroa@…" is an email that is assigned to a user registered in the application, and the response time in "Response received" tab.

Thank you for your work <3

Change History (14)

comment:1 by Mariusz Felisiak, 5 years ago

Cc: Florian Apolloner added
Summary: User Enumeration in PasswordResetViewUser Enumeration in PasswordResetView.

First of all, please note that security issues should be privately sent to security@… and never on public issue trackers.

Your analysis is correct, however PasswordResetView sends an email which always take an extra time. We don't know how much it takes so adding a fixed delay is impossible and for a random sleep time you'd just need a bit of statistic to figure it out.

I think we could document this potential account existence leak in PasswordResetView.

comment:2 by Mariusz Felisiak, 5 years ago

Component: contrib.authDocumentation
Owner: changed from nobody to Mariusz Felisiak
Status: newassigned

comment:3 by Mariusz Felisiak, 5 years ago

Summary: User Enumeration in PasswordResetView.Document possible email address enumeration in PasswordResetView.
Triage Stage: UnreviewedAccepted
Type: BugCleanup/optimization
Version: 3.0master

comment:4 by Mariusz Felisiak, 5 years ago

Has patch: set
Version: master3.0

in reply to:  description ; comment:5 by Florian Apolloner, 5 years ago

Replying to Mohammad Almazroa:

Remediation:

Set up a random sleep time when the email does not exists. The response time of correct and incorrect email should be the same.

This is not a remediation, you can average that out with a few requests…

in reply to:  5 ; comment:6 by Mohammad Almazroa, 5 years ago

Replying to Florian Apolloner:

Replying to Mohammad Almazroa:

Remediation:

Set up a random sleep time when the email does not exists. The response time of correct and incorrect email should be the same.

This is not a remediation, you can average that out with a few requests…

A random sleep time should be within the range that the "PasswordResetView" is taking to send an email. This way it is not clear what response time that means valid or not valid email.
That is just an idea, if you have something better I think we should do it.

in reply to:  1 comment:7 by Mohammad Almazroa, 5 years ago

Replying to felixxm:

First of all, please note that security issues should be privately sent to security@… and never on public issue trackers.

Your analysis is correct, however PasswordResetView sends an email which always take an extra time. We don't know how much it takes so adding a fixed delay is impossible and for a random sleep time you'd just need a bit of statistic to figure it out.

I think we could document this potential account existence leak in PasswordResetView.

Really sorry that I reported it publicly here.

in reply to:  6 ; comment:8 by Florian Apolloner, 5 years ago

Replying to Mohammad Almazroa:

A random sleep time should be within the range that the "PasswordResetView" is taking to send an email. This way it is not clear what response time that means valid or not valid email.

But you don't know how long sending emails takes, so it will just be a relatively good guess at best which does not help since it can be determined via enough requests…

in reply to:  8 comment:9 by Mohammad Almazroa, 5 years ago

Replying to Florian Apolloner:

Replying to Mohammad Almazroa:

A random sleep time should be within the range that the "PasswordResetView" is taking to send an email. This way it is not clear what response time that means valid or not valid email.

But you don't know how long sending emails takes, so it will just be a relatively good guess at best which does not help since it can be determined via enough requests…

You are totally correct.
And I just saw your comment in github for using "a 3rd party package that allows to send emails asynchronously", I didn't thought of that at all.

Keep up the good work <3

comment:10 by GitHub <noreply@…>, 5 years ago

Resolution: fixed
Status: assignedclosed

In ca769c8:

Fixed #31505 -- Doc'd possible email addresses enumeration in PasswordResetView.

comment:11 by Mariusz Felisiak <felisiak.mariusz@…>, 5 years ago

In 04bc3577:

[3.0.x] Fixed #31505 -- Doc'd possible email addresses enumeration in PasswordResetView.

Backport of ca769c8c13df46b8153a0a4ab3d748e88d6e26f9 from master

comment:12 by Mohammad Almazroa, 5 years ago

Question: why not fix PasswordResetView? documenting it is just not enough.

in reply to:  12 ; comment:13 by Florian Apolloner, 5 years ago

Replying to Mohammad Almazroa:

Question: why not fix PasswordResetView? documenting it is just not enough.

Well, suggestions on fixes are welcome… Unless we want to change the reset view to enter the username (in which case we'd leak usernames instead), I do not see any obvious way on how to fix this.

in reply to:  13 comment:14 by Mohammad Almazroa, 5 years ago

Replying to Florian Apolloner:

Replying to Mohammad Almazroa:

Question: why not fix PasswordResetView? documenting it is just not enough.

Well, suggestions on fixes are welcome… Unless we want to change the reset view to enter the username (in which case we'd leak usernames instead), I do not see any obvious way on how to fix this.

"you can use a 3rd party package that allows to send emails asynchronously" .. this is your solution and it's valid. why don't you make the reset view sends emails asynchronously?

Note: See TracTickets for help on using tickets.
Back to Top