3

I found a login page for a city/edu organisation that has no session times, no retry counter/lockout, and no delays if too many tries are made in a certain timeframe. I am able to exploit this to get a lower level/student password in under 10 mins (assgnes password by the organisation arent very good). Should I report this to them?

EDIT: Should also mention this is also useable to gain access to higher level credentials, they would just take more time as they are custom passwords.

Xander
  • 33
  • 3

3 Answers3

2

Careful! Based on what you're saying, you've already donned the Hat, and now it's up for interpretation whether it's a Black, Grey, or White Hat. Depending on localities, you may actually have already committed a felony. System administrators can get very protective of their systems, and they don't always see the honest-guy-shows-you-your-lock-is-broken angle.

This may be a job for anonymous tips, unless you have a good working relationship with a staff member who could report it for you and keep your identity confidential.

It absolutely does need reporting, but don't accidentally martyr yourself being a good Samaritan.

Tim G
  • 156
  • 3
  • I attempted offline how fast my computer could test each type of password used by the org and then set a trial of 10 for the website. It was not malicious and done only on my account. But, yeah I hope that nothing bad comes of me trying to help... – Xander Apr 27 '16 at 00:50
  • It (almost) doesn't matter whether or not you only tried this on your account. You shall never interact with a system in that way without a written agreement. It might seem harmless to you, but the Justice usually doesn't like that… at all. :-) Related: https://security.stackexchange.com/q/100097 – Yuriko Apr 27 '16 at 05:16
1

Yes, this is a serious security oversight and needs to be reported so it can be fixed immediately.

torchhound
  • 156
  • 5
0

I think there might some reasons behind for not using lockout/retry counter:

  1. For any invalid username input or good username/bad password input, it should always return error message 'Invalid username or password'. Or the error message will leak user information.

  2. For lockout, it is not valid non existing users; locking out existing users might even worse as there is a potential DoS attack.

  3. Re-try counter should not be username based, again, not proper defined error message might leak users' existence. However, if is not username based, session based or ip based won't help much as session could always initiated a new one, and ip could be impersonated.

Kaizhe Huang
  • 101
  • 1
  • Im saying that you can try an infinite number on an existing username. Usernames are public record for this org. If you try more than 10 times put a 30 second timeout or something on it is all I'm saying. – Xander Apr 27 '16 at 00:52
  • Well, first, if the usernames are known by public, it is a severe issue already. – Kaizhe Huang Apr 27 '16 at 00:58
  • Its a government org, everyone is assigned a unique numerical ID. They aren't hard to find and nobody is secretive about theirs. The higher up you get on the totem pole the lower the number of digits in your id. I think it goes down to 4. – Xander Apr 27 '16 at 01:02