Short Description
The attacker can execute multiple authentication attempts without being locked out.
Reporting Date
- August 2022
Details
The attacker can execute a brute force attack against the authentication endpoint to figure out the victim's credentials. The victim's account is not locked out due a missing rate limit in the backend when attempting multiple invalid authentication requests.
Impact
Low
References
- Bug Bounty ID: 5443fef4 (Private)
- Internal ID: SEC-742
❤ Thanks to
Hassan Jawaid for reporting the authentication rate limit vulnerability.
Short Description
The attacker can execute multiple authentication attempts without being locked out.
Reporting Date
Details
The attacker can execute a brute force attack against the authentication endpoint to figure out the victim's credentials. The victim's account is not locked out due a missing rate limit in the backend when attempting multiple invalid authentication requests.
Impact
Low
References
❤ Thanks to
Hassan Jawaid for reporting the authentication rate limit vulnerability.