Share via

How to get the same error code in different cases when attempting to log in through a user flow?

Felipe Vanegas 26 Reputation points
2022-11-17T16:51:56.11+00:00

We developped an application using Azure B2C with a log in user flow, but the security team has detected a vulnerability considered critical with the Azure B2C log in user flow.

This vulnerability consists on a malitious actor being able to attempt log in with many different e-mails and, based on the response from Azure B2C, identify which e-mails are registered in the app and which are not.

This is done by checking the fields "message" and "errorCode" in the response:

261480-screenshot-2.png

261583-screenshot-1.png

When the e-mail exists, but the password is incorrect, the error code will be AADB2C90054 and the message will be "Invalid username or password.", but when the e-mail is not registered the code will be AADB2C90053 and the message will be "A user with the specified credential could not be found." (both messages in Spanish).

We have been able to override the messages using the Spanish language configuration JSON file, however, it only takes a quick Google of these error codes to come across this page where the distinction is clear (https://learn.microsoft.com/en-us/azure/active-directory-b2c/error-codes):

261534-screenshot-3.png

We would like to receive the same message and error code in the response for both cases (when the e-mail is registered but password is incorrect, and when the e-mail is not registered), to obfuscate which e-mails are registered and which are not.

Is this possible? How can we achieve this?

Microsoft Security | Microsoft Entra | Microsoft Entra External ID
0 comments
Accepted answer
  1. Akshay-MSFT 17,951 Reputation points Microsoft Employee Moderator
    2022-11-22T04:17:24.813+00:00

    Hello @Felipe Vanegas ,

    Thanks for posting you query on Microsoft Q&A. I was able to review this but as of now we don't have any ways to add customized error messages in user flow. Only available customization for user flows are customize-ui, Customize the user interface with HTML templates, Enable JavaScript and page layout. If this is the only possible way suiting your business needs the kindly post this request on our feedback portal which is monitored by our dev team.

    Workaround:

    However, we could customize the error message via custom policy by editing TrustFrameworkLocalization policy XML:

    <Localization Enabled="true">
    <SupportedLanguages DefaultLanguage="en" MergeBehavior="ReplaceAll">
    <SupportedLanguage>en</SupportedLanguage>
    </SupportedLanguages> 

      <LocalizedResources Id="api.signuporsignin.en">  
    <LocalizedStrings>  
      <LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfInvalidPassword">**The username and/or password you have entered is incorrect.**</LocalizedString>  
      <LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfClaimsPrincipalDoesNotExist">**The username and/or password you have entered is incorrect.**</LocalizedString>  
      <LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfOldPasswordUsed">**The username and/or password you have entered is incorrect.**</LocalizedString>  
    </LocalizedStrings>  
  </LocalizedResources>  
</Localization>

    Please do let me know if you have any further queries.

    Thanks,
    Akshay Kaushik

    Please "Accept the answer","Upvote" and rate your experience if the suggestion works as per your business need. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.