Observable Response Discrepancy in heroiclabs/nakama

Valid

Reported on

Jan 21st 2022

Description

It is possible to enumerate usernames via the Log-In function.

Proof of Concept

The login response provides information, whether the username is registered or not in the application. If the user is registered, and wrong password provided, the following information being displayed:

Invalid credentials.

If the user is not registered, the message contains the following:

Invalid Nakama Console credentials.

Impact

It is possible to enumerate usernames of registered users in the application. An attacker can then chain this information with other attacks.

We are processing your report and will contact the heroiclabs/nakama team within 24 hours. a year ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago

We have contacted a member of the heroiclabs/nakama team and are waiting to hear back a year ago

We have sent a follow up to the heroiclabs/nakama team. We will try again in 7 days. a year ago

A heroiclabs/nakama maintainer

commented a year ago

Maintainer

Strictly speaking this is a vulnerability - however practically speaking this extremely low impact from a security standpoint.

Typically (and based on our recommendation) the Nakama Console should only be exposed to internal networks and not the internet. If exposed to the net, this could be an attack vector for an unknown/bad actor to try and guess users/password.

Low on priority due to the nature of deployment, but we’ll fix this at a later date.

Mo Firouz validated this vulnerability a year ago

TheLabda has been awarded the disclosure bounty

The fix bounty is now up for grabs

We have sent a fix follow up to the heroiclabs/nakama team. We will try again in 7 days. a year ago

We have sent a second fix follow up to the heroiclabs/nakama team. We will try again in 10 days. a year ago

We have sent a third and final fix follow up to the heroiclabs/nakama team. This report is now considered stale. a year ago

A heroiclabs/nakama maintainer marked this as fixed in v3.11.0 with commit afe8bd a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Daniel Hunt

commented 6 months ago

Regardless if the application is only exposed to internal networks or not, a vulnerability is a vulnerability is a vulnerability.

Andrei Mihu

commented 6 months ago

Maintainer

We agree it is technically a vulnerability. This is why we acknowledged it, awarded the bounty, and fixed the issue already.

to join this conversation

We are processing your report and will contact the heroiclabs/nakama team within 24 hours. a year ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago

We have contacted a member of the heroiclabs/nakama team and are waiting to hear back a year ago

We have sent a follow up to the heroiclabs/nakama team. We will try again in 7 days. a year ago

A heroiclabs/nakama maintainer

commented a year ago

Maintainer

Strictly speaking this is a vulnerability - however practically speaking this extremely low impact from a security standpoint.

Low on priority due to the nature of deployment, but we’ll fix this at a later date.

Mo Firouz validated this vulnerability a year ago

TheLabda has been awarded the disclosure bounty

The fix bounty is now up for grabs

We have sent a fix follow up to the heroiclabs/nakama team. We will try again in 7 days. a year ago

We have sent a second fix follow up to the heroiclabs/nakama team. We will try again in 10 days. a year ago

We have sent a third and final fix follow up to the heroiclabs/nakama team. This report is now considered stale. a year ago

A heroiclabs/nakama maintainer marked this as fixed in v3.11.0 with commit afe8bd a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Daniel Hunt

commented 6 months ago

Regardless if the application is only exposed to internal networks or not, a vulnerability is a vulnerability is a vulnerability.

Andrei Mihu

commented 6 months ago

Maintainer

We agree it is technically a vulnerability. This is why we acknowledged it, awarded the bounty, and fixed the issue already.

to join this conversation