Jump to content

Recommended Posts

Haven't seen this here yet, and please point me in that direction if a thread already exists, but I'd like to request a change to the error message that is displayed at the Self-Service Password Rest Portal.

Currently, if you input a username that does not exist, you are told that the username was not found. This allows an attacker to enumerate valid accounts for your organization and proceed with related attacks against Security Questions, MFA options and other attack avenues.

Could this be a more generic message that does not indicate whether an account is valid or not?

 

image.png.099e8aacbe358cb8caa46a0c2f4db6ee.png

Link to post
Share on other sites

Hi Carl,

 

We can look into changing this for you. As the Username is the only field on this screen, do you have any recommendations for what message we could provide which would not allude to the Username not existing?

 

Also, if you're not aware, we also have brute force detection build into this page as well.

If you can let us know your preference, we can include it in the next release.

Regards

Click Studios

Link to post
Share on other sites

Thank you for the fast response!

In an instance like this, the more generic, the better. 

I think something like "Error - Contact your Administrator/Support" would be a good choice.

 

I know that this can possiibly lead to some problems with troubleshooting, but it prevents the enumeration of valid accounts.

 

I was not aware of the brute force detection built into the page, but I do know this particular issue was recently a find on a third-party pentest we had performed on our organization.

Is there documentation available detailing this feature? I'd be very interested in looking that over.

Link to post
Share on other sites

Hi Carl,

 

The Brute Force detection is enabled by default, so unless someone has disabled it, we're suprised your third party pen testers did not mention this to you.

To check if it's enabled, please go to the screen Administration -> Password Reset Portal Administration -> System Settings -> Miscellaneous tab.

Regards

Click Studios

Link to post
Share on other sites

Thank you. I do see this is enabled and it uses session cookies to detect and block brute force attempts.

This is certainly a step in the right but is trivial to bypass. Automated tooling allows you to work around this by spinning up another session.

I appreciate the quick responses and look forward to any possible resolution.

 

Thank you!

Link to post
Share on other sites

Thanks Carl.

 

We've just released build 8951 of Passwordstate with this update in it, and you can follow section '7 Password Reset Portal Upgrade Instructions' in the following document to upgrade your portal - you do not need to update your main install of Passwordstate for this - https://www.clickstudios.com.au/downloads/version8/Upgrade_Instructions.pdf 

In version 9 we are also considering locking out any brute force login attempts by IP Address, but this would also add a management overheard for Passwordstate Administrators if the login attempts were from a legitimate user i.e. the Passwordstate Administrator would need to remove the blocked IP Address from a menu in the Administration area in Passwordstate.

Regards

Click Studios

Link to post
Share on other sites
×
×
  • Create New...