[wp-trac] [WordPress Trac] #45318: Security problem: Login Oracle
WordPress Trac
noreply at wordpress.org
Fri Nov 9 14:05:48 UTC 2018
#45318: Security problem: Login Oracle
--------------------------+------------------------------
Reporter: d0rkpress | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 4.9.8
Severity: major | Resolution:
Keywords: close | Focuses:
--------------------------+------------------------------
Changes (by SergeyBiryukov):
* keywords: Authentication needs-patch => close
Old description:
> Hello,
>
> when logging in to WordPress one can tell from the error message whether
> the user account exists or not. It's either "ERROR: The password you
> entered for the username <USERNAME> is incorrect" or "ERROR: Invalid
> username".
>
> This is basically missing the 101 security requirement of a login, see
> https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Incorrect_Response_Examples.
>
> Yes, I read that: https://make.wordpress.org/core/handbook/testing
> /reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-
> user-ids-not-a-security-issue . But it in 2018 it is time to change this.
> You need just to look into any logfile of any webserver you will find
> lots of probes for the WordPress login.
>
> The threat is that it is minimizing for an attacker considerably the
> effort by a 2 x square root factor. Let's say in 1000 user accounts I
> have one hit on a web site, for a password guess I have another 1 in 1000
> hits. Without a login oracle I would need 1000^2 tries to get a hold of a
> login. With this oracle I need 1000 + 10000 tries. One million requests
> vs. 2000 makes a huge difference.
>
> Please
>
> Thanks, Dirk (OWASP guy, Pentester, Consultant, IT Security >20yrs
> professional experience)
New description:
Hello,
when logging in to WordPress one can tell from the error message whether
the user account exists or not. It's either "ERROR: The password you
entered for the username <USERNAME> is incorrect" or "ERROR: Invalid
username".
This is basically missing the 101 security requirement of a login, see
https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Incorrect_Response_Examples.
Yes, I read that: https://make.wordpress.org/core/handbook/testing
/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-
user-ids-not-a-security-issue . But it in 2018 it is time to change this.
You need just to look into any logfile of any webserver you will find lots
of probes for the WordPress login.
The threat is that it is minimizing for an attacker considerably the
effort by a 2 x square root factor. Let's say in 1000 user accounts I have
one hit on a web site, for a password guess I have another 1 in 1000 hits.
Without a login oracle I would need 1000!^2 tries to get a hold of a
login. With this oracle I need 1000 + 10000 tries. One million requests
vs. 2000 makes a huge difference.
Please
Thanks, Dirk (OWASP guy, Pentester, Consultant, IT Security >20yrs
professional experience)
--
Comment:
Hi @d0rkpress, welcome to WordPress Trac! Thanks for the report.
Just noting this has been previously reported a few times, most recently
in #40667.
As stated in the [https://make.wordpress.org/core/handbook/testing
/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-
user-ids-not-a-security-issue handbook article] you've linked to, we don't
consider usernames (and by extension, the existence of accounts) to be
private. A similar thing can be achieved just by browsing the
`/author/{slug}` views.
We need to balance user friendliness with information disclosure and as
[https://halfelf.org/2014/username-secret/ usernames are not considered
private information], user friendliness wins here.
Please don't ignore the warning that Trac displays when creating security
tickets. If you believe you've found a vulnerability, please
[https://make.wordpress.org/core/handbook/testing/reporting-security-
vulnerabilities/#where-do-i-report-security-issues disclose it to us
privately], [https://hackerone.com/wordpress via HackerOne].
Related: #3708, #4290, #5301, #12129, #22421, #27125, #31787, #40667.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/45318#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list