Observable Response Discrepancy in heroiclabs/nakama

Valid

Reported on

Jan 21st 2022


Description

It is possible to enumerate usernames via the Log-In function.

Proof of Concept

The login response provides information, whether the username is registered or not in the application. If the user is registered, and wrong password provided, the following information being displayed:

Invalid credentials.

If the user is not registered, the message contains the following:

Invalid Nakama Console credentials.

Impact

It is possible to enumerate usernames of registered users in the application. An attacker can then chain this information with other attacks.

We are processing your report and will contact the heroiclabs/nakama team within 24 hours. 4 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 4 months ago
We have contacted a member of the heroiclabs/nakama team and are waiting to hear back 4 months ago
We have sent a follow up to the heroiclabs/nakama team. We will try again in 7 days. 4 months ago
heroiclabs/nakama maintainer
4 months ago

Maintainer


Strictly speaking this is a vulnerability - however practically speaking this extremely low impact from a security standpoint.

Typically (and based on our recommendation) the Nakama Console should only be exposed to internal networks and not the internet. If exposed to the net, this could be an attack vector for an unknown/bad actor to try and guess users/password.

Low on priority due to the nature of deployment, but we’ll fix this at a later date.

Mo Firouz validated this vulnerability 4 months ago
TheLabda has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the heroiclabs/nakama team. We will try again in 7 days. 4 months ago
We have sent a second fix follow up to the heroiclabs/nakama team. We will try again in 10 days. 3 months ago
We have sent a third and final fix follow up to the heroiclabs/nakama team. This report is now considered stale. 3 months ago
heroiclabs/nakama maintainer confirmed that a fix has been merged on afe8bd 3 months ago
The fix bounty has been dropped
to join this conversation