Devops and password tests
"Umm... could you test to login to X and see if it works the same for you as it worked for me? I'm a bit confused right now."
Tried to login with my own account and with the admin account. Worked just fine.
"No no no. Correct login works. But if you'll input password with x spaces, how it works then?"
Tried my own account + one space as the password. Then with two. Then tried my colleagues account with various number of spaces. And then switched to test with various admin accounts.
No, it shouldn't work like this. If the password was empty, we got the normal reply that the login failed, or if the password was actually wrong. But with only one or more spaces in the password field we got in. No matter what was the account.
My colleague created a ticket to the manufacturer, because we still weren't sure if this was due to misconfiguration or something else.
Things started to escalate quite rapidly. And not long after they had asked some more details, we got a call from quite high level executive of that company. "Umm... It's better if you deny access to the login page for now. And could you please not to speak about this publicly for a little while? We are making a fix for this ASAP...."
They fixed it. And my colleague got some money from their bug bounty program.
Naturally they didn't share with us what was the actual reason for this behavior, but I have some thoughts after discussing with various people.
I don't know how this system does the authentication internally, but for example with LDAP this error is almost too easy to do, so perhaps something similar was going on? The system was connected to a properly configured LDAP but the issue appeared also with the internal accounts.
Unfortunately not many companies are publicly sharing their findings[1]. It would be really interesting to know how this kind of a bug got through their development process, and it would be good that others could learn from that!
So, if you are working in software development, please check that your software test processes (hopefully automated by devops processes....) will really check various login use cases.
[1] Visma is wonderful exception, when they got targeted in cyber espionage campaign in 2017-18 https://www.visma.com/press-releases/intelligence-report-visma/
Tried to login with my own account and with the admin account. Worked just fine.
"No no no. Correct login works. But if you'll input password with x spaces, how it works then?"
Tried my own account + one space as the password. Then with two. Then tried my colleagues account with various number of spaces. And then switched to test with various admin accounts.
No, it shouldn't work like this. If the password was empty, we got the normal reply that the login failed, or if the password was actually wrong. But with only one or more spaces in the password field we got in. No matter what was the account.
My colleague created a ticket to the manufacturer, because we still weren't sure if this was due to misconfiguration or something else.
Things started to escalate quite rapidly. And not long after they had asked some more details, we got a call from quite high level executive of that company. "Umm... It's better if you deny access to the login page for now. And could you please not to speak about this publicly for a little while? We are making a fix for this ASAP...."
They fixed it. And my colleague got some money from their bug bounty program.
Naturally they didn't share with us what was the actual reason for this behavior, but I have some thoughts after discussing with various people.
I don't know how this system does the authentication internally, but for example with LDAP this error is almost too easy to do, so perhaps something similar was going on? The system was connected to a properly configured LDAP but the issue appeared also with the internal accounts.
- Check if the password is empty, and return failed login if it is.
- Strip spaces before and after the password string -> password is now an empty string
- Check if the account is valid by using the provided login details to bind to LDAP. If the bind works, account is valid.
- And forgot that if the password is empty string, it's probably binding anonymously, which is quite often allowed by default in LDAP systems. So, bind works -> login allowed with the provided account name.
Unfortunately not many companies are publicly sharing their findings[1]. It would be really interesting to know how this kind of a bug got through their development process, and it would be good that others could learn from that!
So, if you are working in software development, please check that your software test processes (hopefully automated by devops processes....) will really check various login use cases.
[1] Visma is wonderful exception, when they got targeted in cyber espionage campaign in 2017-18 https://www.visma.com/press-releases/intelligence-report-visma/
Comments
Post a Comment