Observable Response Discrepancy in heroiclabs/nakama

Valid

Reported on

Jan 21st 2022


Description

It is possible to enumerate usernames via the Log-In function.

Proof of Concept

The login response provides information, whether the username is registered or not in the application. If the user is registered, and wrong password provided, the following information being displayed:

Invalid credentials.

If the user is not registered, the message contains the following:

Invalid Nakama Console credentials.

Impact

It is possible to enumerate usernames of registered users in the application. An attacker can then chain this information with other attacks.

We are processing your report and will contact the heroiclabs/nakama team within 24 hours. 2 years ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago
We have contacted a member of the heroiclabs/nakama team and are waiting to hear back 2 years ago
We have sent a follow up to the heroiclabs/nakama team. We will try again in 4 days. 2 years ago
heroiclabs/nakama maintainer
2 years ago

Maintainer


Strictly speaking this is a vulnerability - however practically speaking this extremely low impact from a security standpoint.

Typically (and based on our recommendation) the Nakama Console should only be exposed to internal networks and not the internet. If exposed to the net, this could be an attack vector for an unknown/bad actor to try and guess users/password.

Low on priority due to the nature of deployment, but we’ll fix this at a later date.

Mo Firouz validated this vulnerability 2 years ago
thelabda has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the heroiclabs/nakama team. We will try again in 7 days. 2 years ago
We have sent a second fix follow up to the heroiclabs/nakama team. We will try again in 10 days. 2 years ago
We have sent a third and final fix follow up to the heroiclabs/nakama team. This report is now considered stale. 2 years ago
heroiclabs/nakama maintainer marked this as fixed in v3.11.0 with commit afe8bd 2 years ago
The fix bounty has been dropped
Daniel Hunt
a year ago

Regardless if the application is only exposed to internal networks or not, a vulnerability is a vulnerability is a vulnerability.

Andrei Mihu
a year ago

Maintainer


We agree it is technically a vulnerability. This is why we acknowledged it, awarded the bounty, and fixed the issue already.

to join this conversation