Page MenuHomePhabricator

Add a rate limit for guessing old passwords when changing passwords
ClosedPublic

Authored by epriestley on Jan 22 2018, 1:52 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Nov 24, 12:31 AM
Unknown Object (File)
Fri, Nov 22, 8:31 PM
Unknown Object (File)
Thu, Nov 21, 9:40 AM
Unknown Object (File)
Sun, Nov 17, 6:02 PM
Unknown Object (File)
Fri, Nov 15, 6:58 AM
Unknown Object (File)
Sun, Nov 10, 11:43 AM
Unknown Object (File)
Wed, Nov 6, 6:56 AM
Unknown Object (File)
Oct 13 2024, 11:53 PM
Subscribers
None

Details

Summary

Depends on D18904. Ref T13043. If an attacker compromises a victim's session and bypasses their MFA, they can try to guess the user's current account password by making repeated requests to change it: if they guess the right "Old Password", they get a different error than if they don't.

I don't think this is really a very serious concern (the attacker already got a session and MFA, if configured, somehow; many installs don't use passwords anyway) but we get occasional reports about it from HackerOne. Technically, it's better policy to rate limit it, and this should reduce the reports we receive.

Test Plan

Tried to change password over and over again, eventually got rated limited. Used bin/auth unlimit to clear the limit, changed password normally without issues.

Diff Detail

Repository
rP Phabricator
Branch
revoke16
Lint
Lint Passed
Unit
Tests Passed
Build Status
Buildable 19109
Build 25798: Run Core Tests
Build 25797: arc lint + arc unit