[lanstin]

Come on use a little imagination. DNS lookup for the db holding the shard with the user credentials disappears. Code isn’t expecting this, throws a generic 4xx because security instead of a generic 5xx (plenty of people writing auth code will take the stance all failures are presented the same as a bad password or non-existing username); caller interprets this a login failure.

Same auth system system used to validate logins to the bastions that have access to DNS. Voilá.

[shkkmo]

> plenty of people writing auth code will take the stance all failures are presented the same as a bad password or non-existing username

Those people would be wrong. You can take all unexpected errors and stick them behind a generic error message like "something went wrong" but you should not lie to your users with your error message.

[jtuple]

It's about not leaking sensitive information.

If you have different messages for invalid username vs invalid password, you can exploit that to determine if a user has an account at a particular service.

"Invalid credentials" for either case solves this problem.

But sure, let's report infra failures different as "unexpected error"

Now, what happens if the unexpected error is only when checking passwords, but not usernames?

Do you report "invalid credentials" when given an invalid username, but "unexpected error" when given a valid name but invalid password?

If so, you're leaking information again and I can determine valid usernames.

So, safe approach is to report "invalid credentials" for either invalid data or partial unexpected errors.

Only time you could safely report "unexpected error" is if both username check and password check are failing, which is so rare that it's almost not worth handling. Esp. at the risk of doing wrong and leaking info again.

[shkkmo]

If you really want to hide whether a username is in use, then you also have to obscure the actual duration of the authentication process among other things. The amount of hoops you need to jump through to properly hide username usage are sufficient that you need to actually consider if this is a requirement or not. Otherwise, it is just a cargo cult security practice like password character requirements or mandated password reset periods.

In this case, Facebook does not treat hiding username usage as a requirement. Their password reset mechanism not only exposes username / phonenumber usage, but ties it to a name and picture. So yes, Facebook returning an error that says credentials are incorrect when it has infrastructure problems is absolutely a defect.

[ambichook]

what if, if one service doesnt respond at all or responds with something that doesnt fit an expected format that it would if working correctly, the whole thing just says "sorry, we had an error, try again later"? if it has to check both at the same time, and cant check them independently, wouldn't that solve the vulnerability? or am i missing something? totally understandable if i am, i just want to learn /gen