DELTA OBSCURA
We are the team behind Mission Cyber Sentinel, a mission dedicated to securing 446,000 digital assets globally.
ezBookkeeping - v0.7.0 - Login Bruteforce
| Type | software |
| Product Environment | web |
| Product Name | ezBookkeeping |
| Product Vendor | Mayswind |
| Product Version | 0.7.0 |
| Product Link | https://github.com/mayswind/ezbookkeeping |
| Vulnerability Name | Login Bruteforce |
| Severity | Critical |
|
CVSS String
|
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVSS Score | 9.8 |
| CVE ID | CVE-2024-57603 |
| Vendor Acknowledgement | Yes |
|
Affected digital Assets
|
100 |
|
Affected Users
|
100 |
| Date of Reporting | Dec 27, 2024 |
| PoC Exploit | https://gist.github.com/0xHamy/edbf260d4ab6bb9628148bb376619292 |
| Credit | 0xhamy |
Description
The /api/authorize.json login endpoint is susceptible to credential-stuffing / brute-force attacks against both username and password because there is no effective rate limiting, progressive backoff, account lockout, or bot mitigation (e.g., CAPTCHA) by default. The endpoint returns a deterministic error response for invalid credentials which can be used by an attacker to script password-guessing at scale, increasing the risk of account takeover.
Reproduce
- Open the login UI:
http://10.0.0.94/desktop#/login. - Intercept a normal login attempt with a proxy (Burp Suite, etc.). Example request (trimmed/redacted):
POST /api/authorize.json HTTP/1.1
Host: 10.0.0.94
Content-Type: application/json
Origin: http://10.0.0.94/
Referer: http://10.0.0.94/desktop
{"loginName":"man1","password":"1234567890"}
- Submit a wrong password and observe the response body:
{"errorCode":201002,"errorMessage":"login name or password is wrong","path":"/api/authorize.json","success":false}
- Automate: use the consistent error code/message as a condition in a script to iterate many username/password combinations. Because there are no throttles or progressive delays, the attacker can rapidly enumerate/guess credentials until one succeeds.
Recommendation
- Enforce rate limits & backoff: Apply per-account, per-IP, and per-endpoint rate limiting. Introduce progressive delays (exponential backoff) after failed attempts.
- Account lockout / cooldown: Temporarily lock or require additional verification after a configurable number of failed attempts (e.g., lock for N minutes after 5–10 failures). Ensure lockout notifications are sent to the account owner.
- Anti-bot protections: Add CAPTCHAs or challenge-response (adaptive: after suspicious behavior or repeated failures) and integrate bot-detection / device-fingerprinting for high-volume sources.
- Avoid revealing valid usernames: Return a generic authentication failure message that does not confirm whether the username or password was incorrect.
- Multi-factor authentication: Encourage/require MFA for high-risk accounts and for sensitive actions; enforce it during authentication flows.
- Credential stuffing defenses: Block known compromised credentials, use breached-password checks (e.g., Pwned Passwords), and throttle repeated attempts using the same username across different IPs.
- Monitoring & alerting: Log failed-login patterns, alert on rapid/large-scale failures, and create dashboards for unusual authentication activity.
- WAF & IP reputation: Deploy WAF rules and IP reputation / rate-limiting at the edge to slow automated attacks.
- Secure password handling: Ensure the backend uses salted, slow password hashing (e.g., Argon2/Bcrypt) and does not leak timing or error details.
- Progressive rollout & testing: Add unit/integration tests for rate-limiting and lockout logic and perform pen tests / red-team exercises to validate mitigations.
Applying a combination of rate-limiting, account lockouts, anti-bot measures, MFA, and improved logging will substantially reduce the risk from automated brute-force and credential-stuffing attacks.