Observable Response Discrepancy in heroiclabs/nakama
Jan 21st 2022
It is possible to enumerate usernames via the Log-In function.
Proof of Concept
The login response provides information, whether the username is registered or not in the application. If the user is registered, and wrong password provided, the following information being displayed:
If the user is not registered, the message contains the following:
Invalid Nakama Console credentials.
It is possible to enumerate usernames of registered users in the application. An attacker can then chain this information with other attacks.
Strictly speaking this is a vulnerability - however practically speaking this extremely low impact from a security standpoint.
Typically (and based on our recommendation) the Nakama Console should only be exposed to internal networks and not the internet. If exposed to the net, this could be an attack vector for an unknown/bad actor to try and guess users/password.
Low on priority due to the nature of deployment, but we’ll fix this at a later date.
Regardless if the application is only exposed to internal networks or not, a vulnerability is a vulnerability is a vulnerability.
We agree it is technically a vulnerability. This is why we acknowledged it, awarded the bounty, and fixed the issue already.