thmsndk
commented
4 months ago For security reasons a failed login attempt should never specifically inform if the username or the password was correct.
Open melg8 opened 4 months ago
thmsndk
commented
4 months ago For security reasons a failed login attempt should never specifically inform if the username or the password was correct.
melg8
commented
4 months ago @thmsndk agreed. In current state you can brute force logins with server replying differently when it was correct. I changed initial post wording a little to account for this issue also.
When you try to login with right email, but wrong password server should always respond with login attempt failure reply. When you try to login with wrong email, server should always respond with login attempt failure reply.
Now if you try to login with right email, but wrong password, while some of characters on this account are in bank, server replies with {"type": "ui_error", "message": "Can't login while inside the bank"} I think login attempt failure message should have priority over any other messages. Also if this happens for "bank" situation, maybe there are other cases, where server "leaks" some information while not being provided with right password for login.