Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Concurrent Sessions and User Feedback

From: Daniel Staal <DStaal () usa net>
Date: Sun, 06 Apr 2003 19:15:17 -0500
--On Saturday, April 5, 2003 2:33 PM -0500 Susan Olson <olson.susan () excite com> wrote: 


My questionÖwhat is the best way to handle ìfeedbackî for users
attempting to access an account that is already logged-on?
Currently, users get a message stating that the account that they
are attempting to use is already logged-on.  I am not comfortable
with this because it lends to the possible harvesting of valid
UserIDs & Passwords by an ìevil doer.î  Also, I have a similar
issue with the ìfeedbackî given to users when an account is locked
outÖîYour account is currently locked out, please contact an
administratorî in that I only get this message when I have entered
a valid User ID & Password for an account that is locked out ñ
seems to facilitate harvesting as well.

If anyone could provide me with some ideas/strategies, etc. on how
to implement this securely I would greatly appreciate it!
No specific suggestions besides the obvious: change the error messages so that they are all the same. (Something along the line of "This username/password combination in not valid at this time." It is true in all cases...)
The problem of course is debugging. You may want to put in error codes for debugging (though a smart attacker could figure the error codes out and then you are back where you started. Still, it would be useful *before* you deploy at least, and you could remove them at the end of a debug cycle.)
The other problem is if you have an attacker smart enough to check timing differences. If the time to decide one case is detectably different then the other that allows an avenue of opportunity. It may happen that all differences are indistinshable from network latency variations, but you would want to be sure... 

Daniel T. Staal

---------------------------------------------------------------
This email copyright the author.  Unless otherwise noted, you
are expressly allowed to retransmit, quote, or otherwise use
the contents for non-commercial purposes.  This copyright will
expire 5 years after the author's death, or in 30 years,
whichever is longer, unless such a period is in excess of
local copyright law.
---------------------------------------------------------------

top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it. See exactly how much
junk never even makes it in the door. Free 30-day trial:
http://www.securityfocus.com/SurfControl-pen-test
Previous By Date Next
Previous By Thread Next

Current thread: