You are viewing a plain text version of this content. The canonical link for it is here.

Posted to oak-issues@jackrabbit.apache.org by "Alex Deparvu (JIRA)" <ji...@apache.org> on 2018/05/23 10:09:00 UTC

[jira] [Created] (OAK-7506) Prevent user enumeration by exploiting time delay vulnerability

Alex Deparvu created OAK-7506:
---------------------------------

             Summary: Prevent user enumeration by exploiting time delay vulnerability
                 Key: OAK-7506
                 URL: https://issues.apache.org/jira/browse/OAK-7506
             Project: Jackrabbit Oak
          Issue Type: Improvement
          Components: security
            Reporter: Alex Deparvu
            Assignee: Alex Deparvu


Pasting here the improvement request: "If the server response is different for existing and not existing usernames, the attacker is able to enumerate valid usernames with guessing attacks. He is thereby able to focus his password guessing attacks to the existing accounts."

The fix for this particular issue seems trivial, at the cost of making the login operation slower in the case the user doesn't actually exist.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)