Limit username validation attempts to improve security

Alpha1

Well-known member
The registration form has a username validation function. it seems this can be abused by attackers to find out what accounts are present on the site. The attacker can run a script to try millions of possible usernames to get a member list. I have recently encountered such attack on my vbulletin big board, as vbulletin has a similar function. I've tried it out and there does not seem to be any limitation on xenforo registration either.
Once the attacker has a member list they are one step closer to hacking a site. Therefore I think it should be prevented.

This can be prevented by implementing a limit on this function, so that a user can only try X times, after which the user will be locked out from using this function.
 
Upvote 21
A user list can also be retrieved by simply parsing the thread pages. This also seems a lot easier for potential "hackers" and you have the additional "bonus" to know who is moderator and administrator. IMHO only a very silly hacker would target the registration page for this info. And if the hacker has success with a login, all he gets is the account with the weak password.

If you own a large site you may have a firewall limiting the connections of a single client anyway...
 
Thread pages only show posting members in public forums which is very incomplete with duplicate data therefore ineffective.
 
I do the same using LSWS, but unfortunately the upgrade to LSWS5 removed the related settings.

Most boards will not have the possibility to limit connections per IP. And its possible to get around IP restrictions easily.

While not a major vulnerability it is good practice to close any function that can be exploited.
 
that can be exploited

I cannot see any exploit in getting some user names of a board. As said, you can get them more easily when parsing public thread pages.

But you generally do not want a massive DOS attack at your registration and login pages by script kiddies trying to find passwords. This is the reason we limit them in our firewall.
 
As I already experienced such hack attack last week, I can tell you for a fact that its being exploited.

One example: there are many databases that attackers can use with accounts & passwords. The attacker can check for the existence of such account names and then try if the known password for these accounts works on the system.

There are various avenues an attacker can take. Checking for existing accounts should not be available en mass.
 
This is something that can be done through server lvl however i also will like to see improvements on this area as Alfa1's concern is pretty real , there are many hacked website database hanging around on internet where they are trying to match usernames to brute force passwords.
 
I woke the other day to 1980 pages of errors in my server logs from someone using a script to send thousands of registration submissions every sec.
 
Not long ago I had contact with Troy Hunt of https://haveibeenpwned.com about the mass of account databases that have been breached lately. Especially vbulletin forums. Troy can hardly keep up with the amount of databases that are available on the net. Here are the latest breaches: https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches

There now are billions of account name & passwords combinations that hackers have access to. All they need to do is to query xenforo to see which of these exist on a site. Which can currently be done without limit. Then half of the work is done and the related passwords for those accounts can be tried with 4 attempts, but they only need one try per account to see if the password matches.

I think it would be a good move if xenforo would treat this partial vulnerability as an important issue.
 
While user "enumeration" can be a potential vulnerability, actively querying the registration form is one hell of a noise maker.

Trying to limit username validation by IP address is pointless in an "Internet of Things" era. A simple botnet could do thousands of queries anywhere decentralized. Example, look at the Mirai botnet. It was able to execute one of the largest DDoS attacks known thus far, and it all originated from compromised devices.

Even if XenForo was to successfully implement a 'limit username validation' attempt, there is still a much less noisy method and a successful method an accurate and valid list usernames in anyone's XenForo installation: Download the site's sitemap.
 
Yes please xenforo staff, here i have reason for you to do also, i hope you will implement this and improve security aspects, moreover you should let your community members force to change password as a dump of username + password is available easily.


ss.webp
 
Top Bottom