Uploaded image for project: 'mod-login'
  1. mod-login
  2. MODLOGIN-128

It is possible to fetch password hashes for all users

    XMLWordPrintable

Details

    • CP: sprint 90
    • 1
    • Core: Platform
    • Q2 2020

    Description

      Overview: there are two endpoints in mod-login that allow to get user password hashes:

      GET /authn/credentials/{id}
      GET /authn/credentials
      

      The last one allows to fetch password hashes for ALL users.

      This becomes more dangerous considering recent changes in mod-password-validator that make password policy less strict (MODPWD-32, MODPWD-35) which may lead to some users having easy-to-guess passwords.

      Also, they are SHA1 hashes.

      All of this combined makes it possible for someone with a valid auth token to run an offline brute-force attack and possibly guess some of the passwords.

      The fix for this issue is TBD. Some possible options:

      1. Remove/hide endpoints.
      2. Revert password policy changes. (Out of scope of this issue, please create a new issue in MODPWD and explain why NIST and NCSC cited in MODPWD-32 are wrong.)
      3. Make sure that brute-force attack is too expensive/time-consuming.

      Steps to Reproduce:

      1. Log into any FOLIO environment
      2. run
        GET /authn/credentials?length={any limit}
        

        with a valid token

      Expected Results: TBD
      Actual Results: a list of password hashes is returned

      TestRail: Results

        Attachments

          Issue Links

            Activity

              People

                cmcnally Craig McNally
                oleksandrkurash Alexander Kurash
                Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  TestRail: Runs

                    TestRail: Cases