Potential Security Issue in Blender OpenID implementation.
Open, Needs TriagePublic


I reviewed the Blender ID client and came across a potential security issue.

Basically using the client it is possible to use a brute force attack to receive email addresses which is contained by the system. It is then possible to use brute force attack for the passwords.

The issue is that when a login fails the server sends back username when the username does not exist. https://github.com/fsiddi/blender-id-addon/blob/master/blender_id/communication.py#L78
and the same for password. It is a normal pattern for user/password systems to not tell what failed during the authentication, but just tell it worked or it failed.

I checked the server side code

Basically the issue can be solved by having a client authentication using SSH keys for server to server authentications, but that will not work with the blender-id-addon as it is distributed with blender. Perhaps limit the num of tries before blocking blacklisting the client IP orso.