(Unsure of whether this was generally aimed to all, or a subset of more seasoned
contributors - however my thoughts are below)
In the case of the user entering their password in the correct field, it would be masked
in the UI.
In the case of the user entering their password in the username field, it would be
displayed in plain text in the UI.
I would suggest that this is feedback enough to enable the user to self correct.
Taking the issue at face value - with a user’s credential making it into the logs, what
would one do with such information?
How would an attacker take the credential and utilise it - given they don’t know what user
it was meant for?
Perhaps an attacker could iterate over the users and try the password on each.
Perhaps an attacker might see a subsequent successful login showing the actual user name
(I’m not sure if that’s logged) - which would narrow the potential users to try in a
lightly used system.
Finally, what privileges would someone who can access the logs have? Arguably they’d have
escalated administrative privileges and thus be in a position of trust already.
Personally, I wouldn’t consider this a notable vector within my threat model. However, I’m
only an interested party in the field of security, rather than an accredited security
professional.
—
Dan Hardiker | Adaptavist
dhardiker(a)adaptavist.com
Winners of the Atlassian President's Award for Technical Excellence -
http://bit.ly/techexc <
http://bit.ly/techexc>
Adaptavist <
http://adaptavist.com/>, Waterside, Unit 2, 44-48 Wharf Road, London, N1
7UX, United Kingdom.
Registered in England and Wales #5456785.
On 21 Feb 2019, at 13:05, Stian Thorgersen
<sthorger(a)redhat.com> wrote:
If an invalid username or email is used during login the logs will include
the username.
This could potentially be an issue if a user mistakenly enters his
credentials into the username field. We had this
https://issues.jboss.org/browse/KEYCLOAK-9400 issue opened.
Personally I'm not convinced this is a real issue and I'm leaning towards
keeping it as is as having the username available can be useful when
debugging login issues.
Question is should we log the username or not?
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev