Page MenuHomePhabricator

Add a rate limit for guessing old passwords when changing passwords
ClosedPublic

Authored by epriestley on Jan 22 2018, 1:52 AM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Mar 26, 9:02 AM
Unknown Object (File)
Wed, Mar 20, 11:34 PM
Unknown Object (File)
Wed, Feb 28, 3:52 PM
Unknown Object (File)
Jan 28 2024, 11:33 PM
Unknown Object (File)
Dec 23 2023, 8:59 AM
Unknown Object (File)
Dec 12 2023, 8:36 PM
Unknown Object (File)
Dec 6 2023, 7:45 PM
Unknown Object (File)
Nov 30 2023, 1:56 PM
Subscribers
None

Details

Summary

Depends on D18904. Ref T13043. If an attacker compromises a victim's session and bypasses their MFA, they can try to guess the user's current account password by making repeated requests to change it: if they guess the right "Old Password", they get a different error than if they don't.

I don't think this is really a very serious concern (the attacker already got a session and MFA, if configured, somehow; many installs don't use passwords anyway) but we get occasional reports about it from HackerOne. Technically, it's better policy to rate limit it, and this should reduce the reports we receive.

Test Plan

Tried to change password over and over again, eventually got rated limited. Used bin/auth unlimit to clear the limit, changed password normally without issues.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable