Account lockout attack

Last revision (mm/dd/yy): //

Description
In an account lockout attack, an attacker attempts to lock out user accounts by purposely failing the authentication process as many times as needed to trigger the account lockout functionality. This in turn prevents even the valid user from obtaining access to their account. For example, if an account lockout policy states that users are locked out of their accounts after three failed login attempts, an attacker can lock out accounts by deliberately sending an invalid password three times. On a large scale, this attack can be used as one method in launching a denial of service attack on many accounts. The impact of such an attack is compounded when there is a significant amount of work required to unlock the accounts to allow users to attempt to authenticate again.

eBay Account Lockout Attack
At one time, eBay displayed the user-id of the highest bidder for a given auction. In the final minutes of the auction, an attacker who was wanting to outbid the current highest bidder could attempt to authenticate three times using the targeted account. After three deliberately incorrect authentication attempts, eBay password throttling would lock out the highest bidder's account for a certain amount of time. An attacker could then make their own bid and the legitimate user would not have a chance to place a counter-bid because they would be locked out of their account.

Related Attacks

 * Brute force attack
 * Denial of Service

Related Vulnerabilities

 * Abuse of Functionality
 * http://www.gnucitizen.org/blog/username-enumeration-vulnerabilities/

Related Controls

 * Authentication Cheat Sheet
 * Testing for Captcha (OWASP-AT-008)
 * Testing for User Enumeration and Guessable User Account (OWASP-AT-002)
 * Authentication