Security flaw in MySQL, MariaDB allows access with any password–just keep submitting it

A great writeup on the extreme security flaw found (and subsequently patched) in MySQL and MariaDB. Given a valid username, any database could be accessed simply by entering a false password enough times.

Because of the random key strings used, Golubchik said the probability of exploiting the flaw on any given attempt “is about 1/256”; with enough attempts, even using the same password over and over again, an attacker could gain access just by knowing a valid account name (such as “root”). Given that it takes less than a second to submit hundreds of login attempts, the hole essentially renders password protection worthless.

Leave a Reply

Your email address will not be published. Required fields are marked *