I was busy writing some code last week and while I was coding the authentication part I noticed the following. When you perform an authentication attempt against the API you will get output information back which contains information that can be used to perform a brute-force attack.
Return information after an invalid authentication attempt:
Now in case you use a valid username than you will see the Loginattempts incrementing:
This means you found a valid account, so let's push forward until it the account is locked!
So the API is also giving back the time you have to wait until you can try it again.
Exposing this kind of information makes it easier for people with bad intentions to perform brute-force attacks. Sure companies nowadays should embrace/use MFA, but when you want to automate certain actions, for example through a CI/CD pipeline, than the MFA becomes a blocker so you'll have to diverge back. I think it's time to come-up with something better that can be used for automation tasks like for example a true service account blueprint that is allowed to logon through the API alone and uses oauth refresh tokens. For the short term not exposing this information would already be a first step.
And yes, I know Commvault is showing something in the eventviewer, but this will be visible only in the CommCell console as by default is is part of the default UI layout. In Command Center you really have to have it open which doesn't happen that often hence I would like a different UI layout for Command Center.
Curious to hear the opinion of others on this!
