User Enumeration Caused by IdentityToolkit [148806678]

Assigned

Bug

Status Update

No update yet.

Description

[Deleted User]

created issue #1

Feb 4, 2020 04:43PM

Vulnerability Classification: User Enumeration

Steps to Reproduce:
1. Visit

https://developers.google.com/identity/toolkit/web/configure-service (identitytoolkit API)
2. Follow instructions to set up a configure a test site using one of the quickstart applications.
3. Add a user to the API using the /setAccountInfo endpoint (

https://developers.google.com/identity/toolkit/web/reference/relyingparty/setAccountInfo)
4. Query the API using the /verifyPassword endpoint (

https://developers.google.com/identity/toolkit/web/reference/relyingparty/verifyPassword) using:
a. A user that exists
b. A user that doesn't exist
5. Note the different responses from the API:
"INVALID_PASSWORD"
"EMAIL_NOT_FOUND"
Depending on the validity of the user's e-mail address or username, the application will tell you if that e-mail/username is associated with an account.

Attack scenario:
Any unauthenticated user with access to the site can spray the /verifyPassword endpoint of the target application with a list of e-mail addresses in order to enumerate which of those e-mails is associated with a valid account. This can be useful for an attacker looking to target specific users with different types of attacks, not limited to XSS, CSRF, brute force/password spraying and more.

Screenshots:
1.

https://drive.google.com/open?id=1AgpuJCh_Jfu2ONmnEKUeUv_MdmZkQPA-
2.

https://drive.google.com/open?id=1hhw8E1x41K9UB8Kb1dNUpawfxd2k5J2J

Mitigation:
Instead of responding with two error messages, respond with "USERNAME_OR_PASSWORD_NOT_VALID" in the API for both situations.

Comments

[Deleted User] <[Deleted User]> #2Feb 5, 2020 10:15PM

Hello,

Thank you for reaching out. I'm going to create an internal feature request. Please keep in mind that this feature request has to be analyzed and considered by the product team and I can't provide you ETA for it to be delivered. However, you can keep track of the status by following this thread.

se...@google.com <se...@google.com> #3Feb 6, 2020 10:07AM

Accepted by se...@google.com.

https://issuetracker.google.com/187735505

Message last modified on Feb 6, 2020 10:08AM

[Deleted User] <[Deleted User]> #4Feb 6, 2020 10:41AM

https://issuetracker.google.com/187735505

se...@google.com <se...@google.com> #5Feb 6, 2020 03:23PM

Okay, I'm going to create an internal issue report. I'll let you know when I get any updates from Google Engineers.

se...@google.com <se...@google.com> Feb 11, 2020 07:52AM

Assigned to gc...@google.com.

se...@google.com <se...@google.com> #6Feb 12, 2020 02:33PM

I received reply from Google Engineers. In general we try to balance between user experience and security. We want to provide more actionable error messages to end users and we also want to expose the ability to look up a user's providers or whether the account exists when an email is provided where a developer needs to know what provider to sign in a user after they enter their email. But at the same time, we throttle these endpoints to prevent abuse and make such attacks less feasible.

[Deleted User] <[Deleted User]> #7Feb 12, 2020 04:24PM

As far as I can tell there is no throttling happening.

[Deleted User] <[Deleted User]> #8Feb 12, 2020 05:20PM

That said, even if it's throttled, it still puts us out of compliance and we need to remediate this. The current implementation isn't acceptable for our purposes.

[Deleted User] <[Deleted User]> #9Feb 16, 2020 09:16PM

Can I get a status update?