#20760: Account enumeration through timing attack in password verification in django.contrib.auth -------------------------------------+------------------------------------- Reporter: jpaglier@… | Owner: aaugustin Type: Bug | Status: closed Component: contrib.auth | Version: 1.5 Severity: Normal | Resolution: fixed Keywords: security | Triage Stage: Ready for authentication timing enumeration | checkin Has patch: 1 | Needs documentation: 0 Needs tests: 0 | Patch needs improvement: 0 Easy pickings: 0 | UI/UX: 0 -------------------------------------+-------------------------------------
Comment (by erikr): Not negating any of your other points, Aymeric, but are you sure that the login error message leaks existence of usernames prior to 1.6? Just tested this on a 1.5 setup, although in Dutch, and the error message asks for a correct username and password, not revealing which one was wrong. Also, I can't imagine I would not have spotted this before. I do know that prior to 1.6, we leaked username existence through the password reset form, which would either say that an email has been sent, or that no match was found. This was fixed a few weeks ago, if I remember correctly. -- Ticket URL: <https://code.djangoproject.com/ticket/20760#comment:24> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/074.449e5268e8c1d8577c1e2811f5ae5e31%40djangoproject.com. For more options, visit https://groups.google.com/groups/opt_out.