No Protection against Bruteforce attacks on Login page in heroiclabs/nakama

Valid

Reported on

May 24th 2022


Description

Nakama Console does not have any limit for the number of unsuccessful login attempts in a very short period of time.

Proof of Concept

  1. Send a login request.
  2. Capture the login request
  3. Replay the login request with different password value.

HTTP request

POST /v2/console/authenticate HTTP/1.1
Host: localhost:7351
Content-Length: 42
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Content-Type: application/json
Origin: http://localhost:7351
Referer: http://localhost:7351/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: <some-cookies>
Connection: close

{"username":"admin","password":"admin123"}

POC:

Impact

Login Bruteforce attacks

We are processing your report and will contact the heroiclabs/nakama team within 24 hours. 2 months ago
We have contacted a member of the heroiclabs/nakama team and are waiting to hear back 2 months ago
We have sent a follow up to the heroiclabs/nakama team. We will try again in 7 days. 2 months ago
heroiclabs/nakama maintainer has acknowledged this report 2 months ago
Andrei Mihu
2 months ago

Maintainer


Thanks for the report, we're looking into this and will respond in more depth as soon as possible.

nerrorsec modified the report
a month ago
Andrei Mihu validated this vulnerability a month ago
nerrorsec has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Andrei Mihu confirmed that a fix has been merged on e2e02f a month ago
The fix bounty has been dropped
to join this conversation