No Protection Against Bruteforce Attacks on Login Page in linagora/twake


Reported on

Jan 11th 2023


Twake does not limit unsuccessfull login attempts allowing an attacker to brute force the password of an administrator or regular user.

Proof of Concept

Steps to reproduce Because Twake does not rate limit authentication attempts an attacker could either bruteforce both the login and password. However in a real world scenario we would liekly see an attacker either create an account and enumerate users or leverage a compromised account to obtain a user list.

Then a malicious actor would capture the login request with Burpsuite

Send the request to Intruder

Replay the login request with a different password value utilziing a password list payload such as rockyou.txt

Should the correct password be tried, a 200 OK response is returned

Incorrect attempts are returned with a 404 Unauthorized

Burpsuite will continue attempting all passwords in the password list until it is complete

Burpuite Replay:

POST /internal/services/console/v1/login HTTP/1.1
Content-Length: 77
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
Accept: application/json
Content-Type: application/json
sec-ch-ua-mobile: ?0
Authorization: Bearer
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
sec-ch-ua-platform: "Linux"
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: lhc_vid=6329efff387471209bb0
Connection: close



The impact is unlimited password attempts leading to Brute Force attacks on the login page. Should this application be hosted on a website it may also lead to a Denial of Service.

We are processing your report and will contact the linagora/twake team within 24 hours. a year ago
We have contacted a member of the linagora/twake team and are waiting to hear back a year ago
Romaric Mourgues validated this vulnerability 8 months ago

Hi, we enabled the brute force module on our SSO. Thanks for your time and for getting back to us regularly by email :) Romaric

0xsu3ks has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Romaric Mourgues marked this as fixed in 0.0.0 with commit 599f39 8 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Romaric Mourgues published this vulnerability 8 months ago
to join this conversation