Page MenuHomePhabricator

Add a rate limit for guessing old passwords when changing passwords
ClosedPublic

Authored by epriestley on Jan 22 2018, 1:52 AM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Apr 19, 7:07 PM
Unknown Object (File)
Thu, Apr 18, 11:47 PM
Unknown Object (File)
Wed, Apr 17, 2:36 PM
Unknown Object (File)
Sat, Apr 6, 9:32 AM
Unknown Object (File)
Fri, Mar 29, 1:26 PM
Unknown Object (File)
Tue, Mar 26, 9:02 AM
Unknown Object (File)
Mar 20 2024, 11:34 PM
Unknown Object (File)
Feb 28 2024, 3:52 PM
Subscribers
None

Details

Summary

Depends on D18904. Ref T13043. If an attacker compromises a victim's session and bypasses their MFA, they can try to guess the user's current account password by making repeated requests to change it: if they guess the right "Old Password", they get a different error than if they don't.

I don't think this is really a very serious concern (the attacker already got a session and MFA, if configured, somehow; many installs don't use passwords anyway) but we get occasional reports about it from HackerOne. Technically, it's better policy to rate limit it, and this should reduce the reports we receive.

Test Plan

Tried to change password over and over again, eventually got rated limited. Used bin/auth unlimit to clear the limit, changed password normally without issues.

Diff Detail

Repository
rP Phabricator
Branch
revoke16
Lint
Lint Passed
Unit
Tests Passed
Build Status
Buildable 19109
Build 25798: Run Core Tests
Build 25797: arc lint + arc unit