Zitadel Username Enumeration Vulnerability in Login Interface

A username enumeration vulnerability has been identified in Zitadel's open-source identity infrastructure software. This issue affects versions 4.0.0 prior to 4.0.3, 3.0.0 prior to 3.4.0, and all versions prior to 2.71.15. The vulnerability arises in the login user interface, which is supposed to prevent username enumeration by returning a generic response for both valid and invalid usernames. However, an unauthenticated attacker can exploit this flaw by submitting arbitrary user IDs to the select account page, bypassing the protection and distinguishing between valid and invalid accounts based on the system's response. The vulnerability can be effectively exploited by iterating through possible user IDs, although the impact can be mitigated with rate limiting or similar measures.

Impact

Exploitation of this vulnerability allows an attacker to confirm the existence of valid user accounts by receiving different responses for valid and invalid usernames, thereby bypassing Zitadel's built-in protection against username enumeration.

Reproduction

To reproduce this vulnerability, access the Zitadel login interface in a version that is vulnerable. Navigate to the 'select account' page and begin submitting user IDs. Monitor the responses from the system; valid user IDs will elicit a different response compared to invalid ones. This process can be automated to quickly iterate through a range of user IDs, taking advantage of the absence of rate limiting in vulnerable Zitadel versions.

Remediation

Users can update to Zitadel versions 4.0.3, 3.4.0, or 2.71.15, all of which include the necessary patch. After updating, it's recommended to implement rate limiting or similar measures to further protect against username enumeration attacks.