Page MenuHomePhabricator

Add a rate limit for guessing old passwords when changing passwords
ClosedPublic

Authored by epriestley on Jan 22 2018, 1:52 AM.

Details

Summary

Depends on D18904. Ref T13043. If an attacker compromises a victim's session and bypasses their MFA, they can try to guess the user's current account password by making repeated requests to change it: if they guess the right "Old Password", they get a different error than if they don't.

I don't think this is really a very serious concern (the attacker already got a session and MFA, if configured, somehow; many installs don't use passwords anyway) but we get occasional reports about it from HackerOne. Technically, it's better policy to rate limit it, and this should reduce the reports we receive.

Test Plan

Tried to change password over and over again, eventually got rated limited. Used bin/auth unlimit to clear the limit, changed password normally without issues.

Diff Detail

Repository
rP Phabricator
Branch
revoke16
Lint
Lint OK
Unit
Unit Tests OK
Build Status
Buildable 19109
Build 25798: Run Core Tests
Build 25797: arc lint + arc unit

Event Timeline

epriestley created this revision.Jan 22 2018, 1:52 AM
epriestley requested review of this revision.Jan 22 2018, 1:53 AM
amckinley accepted this revision.Jan 23 2018, 7:50 PM
This revision is now accepted and ready to land.Jan 23 2018, 7:50 PM
This revision was automatically updated to reflect the committed changes.