FLIP Federated Learning Platform Brute-Force and Credential-Stuffing Vulnerability
Vulnerability
A vulnerability exists in the Federated Learning and Interoperability Platform (FLIP) login page, all versions prior to 0.1.1. The absence of rate limiting and CAPTCHA allows for brute-force and credential-stuffing attacks. This issue is particularly concerning as FLIP users are external to the organization, heightening the risk of credential reuse.
Impact
The lack of rate limiting and CAPTCHA on the login page facilitates brute-force and credential-stuffing attacks, allowing attackers to easily guess or reuse credentials.
Remediation
To address this vulnerability, FLIP users should enable AWS Cognito Advanced Security Features, which provide account takeover protection and adaptive authentication. Additionally, AWS WAF can be configured to rate limit login attempts. It is also recommended to implement rate limiting middleware in the FastAPI application.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.