No Protection against Bruteforce attacks on Login page in heroiclabs/nakama

Valid

Reported on

May 24th 2022

Description

Nakama Console does not have any limit for the number of unsuccessful login attempts in a very short period of time.

Proof of Concept

Send a login request.
Capture the login request
Replay the login request with different password value.

HTTP request

POST /v2/console/authenticate HTTP/1.1
Host: localhost:7351
Content-Length: 42
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Content-Type: application/json
Origin: http://localhost:7351
Referer: http://localhost:7351/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: <some-cookies>
Connection: close

{"username":"admin","password":"admin123"}

POC:

Impact

We are processing your report and will contact the heroiclabs/nakama team within 24 hours. a year ago

We have contacted a member of the heroiclabs/nakama team and are waiting to hear back a year ago

We have sent a follow up to the heroiclabs/nakama team. We will try again in 7 days. a year ago

A heroiclabs/nakama maintainer has acknowledged this report a year ago

Andrei Mihu

commented a year ago

Maintainer

Thanks for the report, we're looking into this and will respond in more depth as soon as possible.

Niraj Khatiwada modified the report

a year ago

Andrei Mihu validated this vulnerability a year ago

Niraj Khatiwada has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Andrei Mihu marked this as fixed in 3.13.0 with commit e2e02f a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation