[keycloak-dev] Log username if user is not found?

Dan Hardiker dhardiker at adaptavist.com
Thu Feb 21 08:51:02 EST 2019 

(Unsure of whether this was generally aimed to all, or a subset of more seasoned contributors - however my thoughts are below)

In the case of the user entering their password in the correct field, it would be masked in the UI.
In the case of the user entering their password in the username field, it would be displayed in plain text in the UI.
I would suggest that this is feedback enough to enable the user to self correct.

Taking the issue at face value - with a user’s credential making it into the logs, what would one do with such information?
How would an attacker take the credential and utilise it - given they don’t know what user it was meant for?
Perhaps an attacker could iterate over the users and try the password on each.
Perhaps an attacker might see a subsequent successful login showing the actual user name (I’m not sure if that’s logged) - which would narrow the potential users to try in a lightly used system.

Finally, what privileges would someone who can access the logs have? Arguably they’d have escalated administrative privileges and thus be in a position of trust already.

Personally, I wouldn’t consider this a notable vector within my threat model. However, I’m only an interested party in the field of security, rather than an accredited security professional.


—
Dan Hardiker | Adaptavist
dhardiker at adaptavist.com
 
Winners of the Atlassian President's Award for Technical Excellence - http://bit.ly/techexc <http://bit.ly/techexc>

Adaptavist <http://adaptavist.com/>, Waterside, Unit 2, 44-48 Wharf Road, London, N1 7UX, United Kingdom.
Registered in England and Wales #5456785.

> On 21 Feb 2019, at 13:05, Stian Thorgersen <sthorger at redhat.com> wrote:
> 
> If an invalid username or email is used during login the logs will include
> the username.
> 
> This could potentially be an issue if a user mistakenly enters his
> credentials into the username field. We had this
> https://issues.jboss.org/browse/KEYCLOAK-9400 issue opened.
> 
> Personally I'm not convinced this is a real issue and I'm leaning towards
> keeping it as is as having the username available can be useful when
> debugging login issues.
> 
> Question is should we log the username or not?
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list