infrastructure/blender-id
0
4
Fork 0
Code Issues 11 Pull Requests Projects Releases Wiki Activity

Potential Security Issue in Blender OpenID implementation. #54572

New Issue
Open
opened 2018-04-11 21:07:23 +02:00 by Jeroen Bakker · 3 comments
Jeroen Bakker commented 2018-04-11 21:07:23 +02:00
Copy Link

I reviewed the Blender ID client and came across a potential security issue.

Basically using the client it is possible to use a brute force attack to receive email addresses which is contained by the system. It is then possible to use brute force attack for the passwords.

The issue is that when a login fails the server sends back username when the username does not exist. https://github.com/fsiddi/blender-id-addon/blob/master/blender_id/communication.py#L78
and the same for password. It is a normal pattern for user/password systems to not tell what failed during the authentication, but just tell it worked or it failed.

I checked the server side code
https://git.blender.org/gitweb/gitweb.cgi/blender-id.git/blob/HEAD:/bid_api/views/authenticate.py#l47

Basically the issue can be solved by having a client authentication using SSH keys for server to server authentications, but that will not work with the blender-id-addon as it is distributed with blender. Perhaps limit the num of tries before blocking blacklisting the client IP orso.

I reviewed the Blender ID client and came across a potential security issue. Basically using the client it is possible to use a brute force attack to receive email addresses which is contained by the system. It is then possible to use brute force attack for the passwords. The issue is that when a login fails the server sends back `username` when the username does not exist. https://github.com/fsiddi/blender-id-addon/blob/master/blender_id/communication.py#L78 and the same for password. It is a normal pattern for user/password systems to not tell what failed during the authentication, but just tell it worked or it failed. I checked the server side code https://git.blender.org/gitweb/gitweb.cgi/blender-id.git/blob/HEAD:/bid_api/views/authenticate.py#l47 Basically the issue can be solved by having a client authentication using SSH keys for server to server authentications, but that will not work with the blender-id-addon as it is distributed with blender. Perhaps limit the num of tries before blocking blacklisting the client IP orso.
Jeroen Bakker commented 2018-04-11 21:07:23 +02:00
Author
Copy Link

Added subscriber: @Jeroen-Bakker

Added subscriber: @Jeroen-Bakker
Sergey Sharybin commented 2019-04-10 10:12:45 +02:00
Owner
Copy Link

Added subscribers: @fsiddi, @dr.sybren, @Sergey

Added subscribers: @fsiddi, @dr.sybren, @Sergey
Sybren A. Stüvel was assigned by Sergey Sharybin 2019-04-10 10:12:45 +02:00
Sergey Sharybin commented 2019-04-10 10:12:45 +02:00
Owner
Copy Link

@dr.sybren, @fsiddi, mind having a look?

@dr.sybren, @fsiddi, mind having a look?
Sybren A. Stüvel was unassigned by Dalai Felinto 2019-12-23 16:36:16 +01:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
legacy project
Infrastructure: blender.org

  
legacy project
Infrastructure: Websites

  
Priority
High

  
Priority
Low

  
Priority
Normal

  
Status
Archived

  
Status::Confirmed
  
Status
Duplicate

  
Status
Needs Triage

  
Status
Resolved

  
Type
Bug

  
Type
Design

  
Type
Report

  
Type
To Do

No Label
legacy project
Infrastructure: blender.org
legacy project
Infrastructure: Websites
Priority
High
Priority
Low
Priority
Normal
Status
Archived
Status::Confirmed
Status
Duplicate
Status
Needs Triage
Status
Resolved
Type
Bug
Type
Design
Type
Report
Type
To Do
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: infrastructure/blender-id#54572
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?