From b5a3aecf18740fb699f871c8e1d110d847fea6d3 Mon Sep 17 00:00:00 2001 From: Daniel Aloni <74783603+Danieloni1@users.noreply.github.com> Date: Tue, 7 Jun 2022 17:58:48 +0300 Subject: [PATCH] Return the same error message from `/login` when password is incorrect and when account doesn't exist. (#12738) --- changelog.d/12738.misc | 1 + synapse/handlers/auth.py | 8 ++++++-- 2 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 changelog.d/12738.misc diff --git a/changelog.d/12738.misc b/changelog.d/12738.misc new file mode 100644 index 000000000000..825222347540 --- /dev/null +++ b/changelog.d/12738.misc @@ -0,0 +1 @@ +Report login failures due to unknown third party identifiers in the same way as failures due to invalid passwords. This prevents an attacker from using the error response to determine if the identifier exists. Contributed by Daniel Aloni. \ No newline at end of file diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py index fbafbbee6b0b..6e15028b0a38 100644 --- a/synapse/handlers/auth.py +++ b/synapse/handlers/auth.py @@ -81,6 +81,8 @@ logger = logging.getLogger(__name__) +INVALID_USERNAME_OR_PASSWORD = "Invalid username or password" + def convert_client_dict_legacy_fields_to_identifier( submission: JsonDict, @@ -1215,7 +1217,9 @@ async def validate_login( await self._failed_login_attempts_ratelimiter.can_do_action( None, (medium, address) ) - raise LoginError(403, "", errcode=Codes.FORBIDDEN) + raise LoginError( + 403, msg=INVALID_USERNAME_OR_PASSWORD, errcode=Codes.FORBIDDEN + ) identifier_dict = {"type": "m.id.user", "user": user_id} @@ -1341,7 +1345,7 @@ async def _validate_userid_login( # We raise a 403 here, but note that if we're doing user-interactive # login, it turns all LoginErrors into a 401 anyway. - raise LoginError(403, "Invalid password", errcode=Codes.FORBIDDEN) + raise LoginError(403, msg=INVALID_USERNAME_OR_PASSWORD, errcode=Codes.FORBIDDEN) async def check_password_provider_3pid( self, medium: str, address: str, password: str