Hot on the heels of yesterday's User management fail post comes User management fail 2! More shocking discoveries! Blood! Gore!
Well, perhaps not, but still a fairly massive security fail.
I'm interviewing for a project doing Zimlets for Zimbra and as part of the preparation I'm looking at existing Zimlets to see how they're done (the Zimlets are located at gallery.zimbra.com should you be interested in having a look). One of the Zimlets I looked at seemed to have code useful to the project and I wanted to download it - but found no download button. Instead, I spied a login/register combo and figured I had to register first, which I then did. Back on the original page, I then tried to login with my new info.
When trying to log in, I got an error message, something about lacking permissions for a given area. Not a huge fail, but not really smart either (I registered using the button right next to the login button that doesn't let me in - if I cannot register for the area the login button controls, then DON'T DISPLAY a register button there). No, the real fail lies with the error output - have a look at the image below:
It's always good to have descriptive error outputs, and if you're debugging stuff, then extra output is fantastic. But even though I have seemingly managed to get the 'eleet' ID, it's less than stellar performance that they choose to tell me. And the fact that they're outputting password hash is downright stupid. Though, of course, the password hash itself wouldn't get you far, because at Zimbra, passwords are also protected by salts, making a bruteforce attack very hard ... unless you know the salt. Which Zimbra happily displays right alongside the password hash on the login fail screen.
There is a factor mitigating this: the output is only displayed for logins that are successful, i.e. you actually have to know the proper user/pass combination to get it, so you cannot just start leeching password hashes from the site. The good news only goes so far, though: any man-in-the-middle has free access to all the data, as the login happens over http and not https.
Note: I have contacted Zimbra about this.