/

UI Discrepancy in Password in heroiclabs/nakama

Valid

Reported on

Sep 4th 2022

Description

There is UI discrepancy in the user password section in nakama console. The UI presents the following message to the user for a short password: "Password is required, must be 8 chars or longer and consist of at least a capital letter, a small letter and a number". However, the backend accepts a password with just 6 characters which can be seen in the following response from the server.

HTTP Request

POST /v2/console/user HTTP/1.1
Host: 192.168.1.16:7351
Authorization: Bearer <token>
Cookie: <cookies>

{"username":"test","email":"test@example.com","password":"Abc123","role":4,"newsletter_subscription":false}

The request sends a password of just 6 characters and still the user account is created.

Impact

The user interface provides feedback that causes the user to believe that the feature is in a secure state, although it is not working as intended securely.

Occurrences

console_user.go L171

We are processing your report and will contact the heroiclabs/nakama team within 24 hours. 7 months ago

Niraj Khatiwada modified the report

7 months ago

We have contacted a member of the heroiclabs/nakama team and are waiting to hear back 7 months ago

A heroiclabs/nakama maintainer has acknowledged this report 7 months ago

Niraj Khatiwada

commented 5 months ago

Researcher

Any updates?

Andrei Mihu modified the Severity from High (7.5) to None (0) 2 months ago

Andrei Mihu modified the Severity from None (0) to Medium (5.3) 2 months ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Andrei Mihu validated this vulnerability 2 months ago

Niraj Khatiwada has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Andrei Mihu marked this as fixed in 3.16.0 with commit ada6f9 2 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

This vulnerability is scheduled to go public on Feb 1st 2023

console_user.go#L171 has been validated

Andrei Mihu published this vulnerability 2 months ago

to join this conversation

We are processing your report and will contact the heroiclabs/nakama team within 24 hours. 7 months ago

Niraj Khatiwada modified the report

7 months ago

We have contacted a member of the heroiclabs/nakama team and are waiting to hear back 7 months ago

A heroiclabs/nakama maintainer has acknowledged this report 7 months ago

Niraj Khatiwada

commented 5 months ago

Researcher

Any updates?

Andrei Mihu modified the Severity from High (7.5) to None (0) 2 months ago

Andrei Mihu modified the Severity from None (0) to Medium (5.3) 2 months ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Andrei Mihu validated this vulnerability 2 months ago

Niraj Khatiwada has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Andrei Mihu marked this as fixed in 3.16.0 with commit ada6f9 2 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

This vulnerability is scheduled to go public on Feb 1st 2023

console_user.go#L171 has been validated

Andrei Mihu published this vulnerability 2 months ago

to join this conversation