Tandoor Recipes Basic Authentication Brute-Force Vulnerability

A vulnerability in Tandoor Recipes versions prior to 2.6.0 allows for unrestricted brute-force attacks on user accounts via the API. The application uses Django REST Framework with Basic Authentication enabled by default, but fails to apply rate limiting to API endpoints. While the AllAuth rate limiting only affects the HTML login page, any API endpoint that accepts authenticated requests can be exploited without restrictions. This oversight enables attackers to rapidly guess passwords for known usernames, potentially leading to unauthorized access.

Impact

Exploitation of this vulnerability allows attackers to bypass rate limits and account lockouts, enabling high-speed password guessing attacks. This could result in unauthorized access to user accounts.

Reproduction

To reproduce this vulnerability, first confirm that Basic Authentication is active by attempting to access a protected API endpoint with an incorrect password, which should return a 403 Forbidden status. Then, test a correct password for the same username, which should return a 200 OK status. After confirming Basic Authentication works, conduct a rapid series of failed login attempts (e.g., 20 attempts) using incorrect passwords for the same username. The absence of a 429 Too Many Requests response or account lockout will confirm the vulnerability.

Remediation

Users can update to Tandoor Recipes version 2.6.0 or later, where this vulnerability has been patched.