New Azure Active Directory password brute-forcing flaw has no fix

New Azure Active Directory password brute-forcing flaw has no fix(arstechnica.com)

12 points by Deinos 4 years ago | 2 comments

Has no fix? You don't need logging, you just need to keep track of fails and start throttling attempts.

cratermoon 4 years ago | |

If I'm reading this correctly, the error response back to the client is a problem. The plain text is a generic "invalid username or password", but the error code included reveals too much. One of:

- The user does not exist

- The user exists and the correct username and password were entered, but the account is locked

- The user exists but does not have a password in Azure AD

- The user exists, but the wrong password was entered

- The user exists, but the maximum Pass-through Authentication time was exceeded

This violates a cardinal rule of authentication. A malicious actor can know from the error code if the user they are attempting to break is exists or not (that reduces the search space by quite a lot) and worse, it even tells them when they have a correct username/password combo for a locked account.

Yes, attempts can be throttled, but once the attacker knows a valid username/password, they can just wait.