Community mailing list archives

community@mail.odoo.com

Re: Possible security issue?

by Quentin THEURET <qt@tempo-consulting.fr> - 11/18/2014 11:10:23
On 18/11/2014 16:22, Maarten De Wispelaere wrote:
> Dear all,
>
> I noticed that, on https://www.odoo.com/web/login ; the form shows wether an account exists or not…
>
> Screenshot:
> https://dl.dropboxusercontent.com/u/13684809/odoo_login.png
>
> This doesn’t seem like a very good idea from a security aspect. Normally, you should say - after an attempt to login - that either the username or password is invalid, but not give clues to wether an account actually exists or not.
> In doing so, you actually make it easer for dictionary attacks to guess for accounts…
>
> Classic attacks seek username & password combinations, not knowing whether a user exists or not, which makes it a very slow process (relatively).
> If a valid user can be detected, the time needed to try all combinations is reduced by a huge factor, as you can first concentrate on finding valid user accounts, and only afterwards try to guess the password.
>
>
> This might seem a nice idea from a usability kind of perspective, I get that… but you might want to reconsider…

Hi,

I think you have right. It's not a big securitry hole but less you give 
information to attackers, more the difficulty is increased to find the 
credentials.

I think Odoo could reconsider this point.

Regards,
-- 
Quentin THEURET

TeMPO Consulting
20, Avenue de la paix
67000 Strasbourg
France

http://www.tempo-consulting.fr
Tel : +33 3 88 56 82 18
Fax : +33 9 70 63 35 46