#20760: Account enumeration through timing attack in password verification in
django.contrib.auth
-------------------------------------+-------------------------------------
Reporter: jpaglier@… | Owner: aaugustin
Type: Bug | Status: closed
Component: contrib.auth | Version: 1.5
Severity: Normal | Resolution: fixed
Keywords: security | Triage Stage: Ready for
authentication timing enumeration | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by erikr):
Not negating any of your other points, Aymeric, but are you sure that the
login error message leaks existence of usernames prior to 1.6? Just tested
this on a 1.5 setup, although in Dutch, and the error message asks for a
correct username and password, not revealing which one was wrong. Also, I
can't imagine I would not have spotted this before.
I do know that prior to 1.6, we leaked username existence through the
password reset form, which would either say that an email has been sent,
or that no match was found. This was fixed a few weeks ago, if I remember
correctly.
--
Ticket URL: <https://code.djangoproject.com/ticket/20760#comment:24>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/074.449e5268e8c1d8577c1e2811f5ae5e31%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.
