Page MenuHomePhabricator

Add a rate limit for guessing old passwords when changing passwords

Authored by epriestley on Jan 22 2018, 1:52 AM.



Depends on D18904. Ref T13043. If an attacker compromises a victim's session and bypasses their MFA, they can try to guess the user's current account password by making repeated requests to change it: if they guess the right "Old Password", they get a different error than if they don't.

I don't think this is really a very serious concern (the attacker already got a session and MFA, if configured, somehow; many installs don't use passwords anyway) but we get occasional reports about it from HackerOne. Technically, it's better policy to rate limit it, and this should reduce the reports we receive.

Test Plan

Tried to change password over and over again, eventually got rated limited. Used bin/auth unlimit to clear the limit, changed password normally without issues.

Diff Detail

rP Phabricator
Automatic diff as part of commit; lint not applicable.
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

epriestley created this revision.Jan 22 2018, 1:52 AM
epriestley requested review of this revision.Jan 22 2018, 1:53 AM
amckinley accepted this revision.Jan 23 2018, 7:50 PM
This revision is now accepted and ready to land.Jan 23 2018, 7:50 PM
This revision was automatically updated to reflect the committed changes.