almet
commented
10 months ago You're correct, thanks for bringing this up. I believe it's a tradeoff we're doing right now, to ease the life of the users.
Some more context:
- the
idof the project is not secret, and is not shared with other services, so for instance a leak of a database wouldn't be usable with other leaked databases (like we see for usernames/emails)
Mitigations:
- We have a protection in place for logins, but only used for
/admin, so I wonder if we should also protect other resources, and if that would be enough to mitigate this. - Always present the authenticator page, even when the project doesn't exist.
- Never present the authenticator page, even when the project exists, and always redirect to the front page.
What do you think?
nevercodecorrect
Hello, An attacker could know what are the projects exist by simply brute-force checking
localhost:8080/testproject. If the returned page is authenticator then he knows the project exist as if the project does not exist, the returned page will be create project page. It also applies to the user/bill index. The returned page are different and the index is easy to guess. All those trials does need any login/priveledge at all.