|
|
|
|
|
|
by cratermoon
1715 days ago
|
|
|
If I'm reading this correctly, the error response back to the client is a problem. The plain text is a generic "invalid username or password", but the error code included reveals too much. One of: - The user does not exist - The user exists and the correct username and password were entered, but the account is locked - The user exists but does not have a password in Azure AD - The user exists, but the wrong password was entered - The user exists, but the maximum Pass-through Authentication time was exceeded This violates a cardinal rule of authentication. A malicious actor can know from the error code if the user they are attempting to break is exists or not (that reduces the search space by quite a lot) and worse, it even tells them when they have a correct username/password combo for a locked account. Yes, attempts can be throttled, but once the attacker knows a valid username/password, they can just wait. |
|
|