Open GDtoPlay opened 4 years ago
doohochang
commented
4 years ago Hello, thanks for your report. Brute-force attack to get user token is infeasible because the user token is a 128-bit UUID. Since the size of user token is big enough, attackers cannot achieve user token until the access token expires(1 hour). So, practical attacks on user privilege is infeasible.
Team ASU
doohochang
commented
4 years ago (Same Comment in #2 )
We also added simple api rate limit logic for same ip address. See Changes
It blocks requests and returns UNAVAILABLE grpc status if there were more than 10 request calls in a second. Thanks!
Team ASU
AlanSynn
commented
4 years ago 27ac859
Same as #2 No interception logic to check the ip and validation with a malicious attack.
Implemented the feature with AtomicReference to prevent the race condition.
Blocks requests and returns UNAVAILABLE grpc status if there were more than 10 request calls in a second.
Version: 1.0 Env: ubuntu 16.0.4 loc: vulnerability was made by lack of funcs (기능이 없어서 생기는 취약점) type: cwe -307: https://cwe.mitre.org/data/definitions/307.html Explanation of vulnerability: I can't find any function that counting login attempt or prevent sequence of login attempt for a short time. It means that malicious user can do brute force attacks to get user account.