Potential Security Issue in Blender OpenID implementation.
Open, Needs TriagePublic

Description

I reviewed the Blender ID client and came across a potential security issue.

Basically using the client it is possible to use a brute force attack to receive email addresses which is contained by the system. It is then possible to use brute force attack for the passwords.

The issue is that when a login fails the server sends back username when the username does not exist. https://github.com/fsiddi/blender-id-addon/blob/master/blender_id/communication.py#L78
and the same for password. It is a normal pattern for user/password systems to not tell what failed during the authentication, but just tell it worked or it failed.

I checked the server side code
https://git.blender.org/gitweb/gitweb.cgi/blender-id.git/blob/HEAD:/bid_api/views/authenticate.py#l47

Basically the issue can be solved by having a client authentication using SSH keys for server to server authentications, but that will not work with the blender-id-addon as it is distributed with blender. Perhaps limit the num of tries before blocking blacklisting the client IP orso.

Details

Type
Bug