Application allows excessively long password value in vriteio/vrite

Valid

Reported on

Oct 2nd 2023


Description

Vrite v0.2.0 allows excessively long passwords to be set for user accounts which introduce several issues and challenges, primarily related to performance, storage, and compatibility.

Proof of Concept

1. Make an user profile in the app.
2. Go to settings > security > Change password.
3. In place of new password provide a very long string as input & application will accept the same without any warnings or errors.  

PoC

1. Attaching sample data for reference.
2. Sample password for testing : https://drive.google.com/file/d/1BD2zySREDDhEUnwTn1w8r7Vuf6eSqPxa/view?usp=sharing
3. Sample request : https://drive.google.com/file/d/1V94FB-AvWgfslrEKpUbjCRyZeiyt4jkH/view?usp=sharing
4. Sample response : https://drive.google.com/file/d/1P7-4QAW--bXK5kqwG7gVpQkiBNKqFzFe/view?usp=sharing

Fix

Define maximum password length limits that balance security and usability.

Impact

Attackers could attempt to flood your authentication system with requests that include very long password hashes, leading to resource exhaustion and potentially causing a denial of service.Longer password hashes take more time to compute during the hashing process & this can slow down user authentication and registration processes, especially if you have a large number of users or limited server resources.

We are processing your report and will contact the vriteio/vrite team within 24 hours. 5 months ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 5 months ago
We have contacted a member of the vriteio/vrite team and are waiting to hear back 5 months ago
Arek Nawo validated this vulnerability 5 months ago
th3l0newolf has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Arek Nawo marked this as fixed in 0.3.0 with commit 187768 4 months ago
The fix bounty has been dropped
This vulnerability has now been published 4 months ago
to join this conversation