jhonmunoz
commented
1 year ago this was related to bcrypt gem, it's truncating passwords greater than 72 bytes.
Closed jhonmunoz closed 1 year ago
jhonmunoz
commented
1 year ago this was related to bcrypt gem, it's truncating passwords greater than 72 bytes.
Environment
Ruby version: 2.7.3 Rails version: 6.1.7 Devise version: 4.7.3
Current behavior
When a user sets their password to a string containing emojis or other special characters, they are still able to log in and authenticate successfully, even if they enter a different string at login. This vulnerability allows an attacker to bypass authentication and gain unauthorized access to user accounts.
Steps to reproduce
Create a new user account and set the password to a string containing emojis or other special characters (e.g., πβ ππππβ ππππβ ππππβ πππ). Log out of the user account. Attempt to log in using a different string (e.g., πβ ππππβ ππππβ ππππ). (Note the extra π) Observe that the login is successful, despite the different string.
Expected behavior
Users should not be able to log in using a different string than the one they set as their password. Authentication should fail if the password entered at login does not match the password set by the user.
Possible solution
This vulnerability may be caused by an issue with the password encryption or authentication code.
Additional context This vulnerability has been tested on multiple machines and persists across different configurations. It has been reproduced consistently and poses a serious security risk to our web application. We would appreciate any assistance in resolving this issue as soon as possible.
Please let us know if you require any further information or assistance from us.
Thank you for your attention to this matter.