Name Inducing Account Lockout
Summary An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user. Many systems, for instance, implement a password throttling mechanism that locks an account after a certain number of incorrect log in attempts. An attacker can leverage this throttling mechanism to lock a legitimate user out of their own account. The weakness that is being leveraged by an attacker is the very security feature that has been put in place to counteract attacks.
Prerequisites The system has a lockout mechanism. An attacker must be able to reproduce behavior that would result in an account being locked.
Solutions Implement intelligent password throttling mechanisms such as those which take IP address into account, in addition to the login name. When implementing security features, consider how they can be misused and made to turn on themselves.
Related Weaknesses
CWE ID Description
CWE-645 Overly Restrictive Account Lockout Mechanism
Back to Top