Username enumeration using the Login page in OnDemand

We have received an email:

From: Kiran Karnad <kiran.karnad@gmail.com>
Date: 26 August 2014 19:18
Subject: Re: Responsible Disclosure...

Hi Vitaly,

I haven't heard from you regarding my email earlier...

I would like to make a full disclosure of this issue which I reported and for which you've denied fixes (the links you've sent me are not the same as what I reported).

You being such a busy person, at-least let the users who pay so much money take care of themselves as it's pretty evident that you don't want to take care of them

I will go ahead with full disclosure in the next 5 days if you cant take out just 2 minutes out of your "busy schedule" and read the report I've sent before jumping to conclusions. If you are unable to understand the technicalities of the issue, you should either discuss with me or your superior.

Thanks,
Kiran

On Thu, Aug 7, 2014 at 10:21 PM, Kiran Karnad <kiran.karnad@gmail.com> wrote:
>
> Hi Vitaly,
>
> Just as a postlude to my report which wasn't accepted by Atlassian, I thought you might be interested in these posts which focus on user enumeration issues in the recent past...
>
> Russian hackers steal 1.2 Billion passwords: http://news.msn.com/science-technology/report-russian-hackers-steal-12b-passwords
>
> 2014 top 5 attack vectors, guess what's the first: http://blog.securestate.com/new-2014-attack-vectors-report-release/
>
> Mozilla database disclosure: https://blog.mozilla.org/security/2014/08/01/mdn-database-disclosure/
>
> I wanted to also ask of you... since my report is not rejected but is being accepted as a vulnerability which wont be fixed now, dont you think my name should be on your hall of fame? Sorry for being too direct here, but it does mean a lot to me to be on Atlassian HoF :o)
>
> Thanks & Have a Wonderful Day,
> Kiran
>
>
> On Thu, Jul 31, 2014 at 1:22 PM, Kiran Karnad <kiran.karnad@gmail.com> wrote:
>>
>> Hi Vitaly,
>>
>> Thanks for the note.. As long as you are ok, i'm ok too :o)
>>
>> Have a Wonderful Day,
>> Kiran
>>
>>
>> On Thu, Jul 31, 2014 at 12:21 PM, Vitaly Osipov <vosipov@atlassian.com> wrote:
>>>
>>> Hi Kiran,
>>>
>>> Thank you for your message. We are currently not working on disabling
>>> all possible user enumeration vectors. The public issues below are not
>>> exactly what you're talking about (they are about JIRA, not OnDemand
>>> OpenID component), yet they provide the gist of what the current
>>> situation is.
>>>
>>> https://jira.atlassian.com/browse/JRA-34013
>>> https://jira.atlassian.com/browse/JRA-23653
>>>
>>> Please check https://confluence.atlassian.com/display/SUPPORT/How+to+Report+a+Security+Issue
>>> in regard to what we look for in vulnerability reports.
>>>
>>>
>>> Regards,
>>> Vitaly
>>>
>>>
>>> On 31 July 2014 11:56, Kiran Karnad <kiran.karnad@gmail.com> wrote:
>>> > Dear Atlassian Team,
>>> >
>>> > First of all, thanks a lot for giving all of us such a wonderful product!
>>> >
>>> > I would like to make a responsible disclosure on atlassian.com. This issue
>>> > holds true for all onDemand logins
>>> >
>>> > Title: Username enumeration using the Login page
>>> >
>>> > Pre-requisites:
>>> >
>>> > 1. ZAP or Burp Proxy is needed for interception
>>> > 2. I am assuming that usernames & email ids are important to protect from
>>> > enumeration by an attacker
>>> >
>>> > Detailed Steps:
>>> >
>>> > 1. Go to https://kpisoft.atlassian.net/login (our account that we've
>>> > subscribed)
>>> > 2. On the login page, enter the username admin (or kiran or mercy or
>>> > chanel) all these are valid ids.
>>> > 3. Enter any junk password (I tried with 12345)
>>> > 4. Click on "Login using OnDemand"
>>> > 5. Capture the response from the server
>>> > 6. Now perform the same steps 4 & 5 using an invalid username (I tried with
>>> > timmappana and password 12345)
>>> >
>>> > Compare the two responses:
>>> >
>>> > You'll notice that in case 1 when the username is valid, the response is
>>> > shorter 8217 bytes in my case (with admin)... The tag <span class="error"
>>> > id="error-authentication_failure_invalid_credentials">Invalid
>>> > credentials.</span>
>>> > is available in the response...
>>> >
>>> > To understand the above message: JIRA didn't locate these credentials,
>>> > however onDemand did!!
>>> >
>>> > Next, let's look at the second (invalid) response (username timmappana). The
>>> > response size is slightly more (8217 bytes) & is: <span class="error"
>>> > id="error-authentication_failure_openid_unknownuser">Your account is not yet
>>> > available in this OnDemand instance.</span>
>>> >
>>> > Please find attached the screen shot of the comparer difference between the
>>> > two responses.
>>> >
>>> > Recommendation:
>>> >
>>> > 1. There should be no difference in response size between valid and invalid
>>> > ids
>>> > 2. There is no need to send back the usernames/ email ids in the response
>>> >
>>> > Please do let me know if you need any other information
>>> >
>>> > Thanks and Best Regards,
>>> > Kiran