Hot on the heels of yesterday's User management
post comes User management fail 2! More shocking discoveries! Blood!
Well, perhaps not, but still a fairly massive security fail.
I'm interviewing for a project doing Zimlets for Zimbra and as part of
the preparation I'm looking at existing Zimlets to see how they're done
(the Zimlets are located at
gallery.zimbra.com should you be
interested in having a look). One of the Zimlets I looked at seemed to
have code useful to the project and I wanted to download it - but found
no download button. Instead, I spied a login/register combo and figured
I had to register first, which I then did. Back on the original page, I
then tried to login with my new info.
When trying to log in, I got an error message, something about lacking
permissions for a given area. Not a huge fail, but not really smart
either (I registered using the button right next to the login button
that doesn't let me in - if I cannot register for the area the login
button controls, then DON'T DISPLAY a register button there). No, the
real fail lies with the error output - have a look at the image below:
It's always good to have descriptive error outputs, and if you're
debugging stuff, then extra output is fantastic. But even though I have
seemingly managed to get the 'eleet' ID, it's less than stellar
performance that they choose to tell me. And the fact that they're
outputting password hash is downright stupid. Though, of course, the
password hash itself wouldn't get you far, because at Zimbra, passwords
are also protected by salts, making a bruteforce attack very hard ...
unless you know the salt. Which Zimbra happily displays right alongside
the password hash on the login fail screen.
There is a factor mitigating this: the output is only displayed for
logins that are successful, i.e. you actually have to know the proper
user/pass combination to get it, so you cannot just start leeching
password hashes from the site. The good news only goes so far, though:
any man-in-the-middle has free access to all the data, as the login
happens over http and not https.
Note: I have contacted Zimbra about this.