Impact
We have a rate limit of 300 requests/5 minutes and 600 requests/25 hours per IP address on gem push request (POST /api/v1/gems). It was possible to brute force the OTP code using this endpoint if the attacker uses an IP rotator.
Impact
The brute force of OTP code could be escalated to account takeover if the attacker already has access to the user's password or if they could hijack the user session with some alternate method.
Patches
We have added a rate limit of 300 req / 5 min and 900 req / 25 hr on each user account. This limit can't be bypassed by changing the IP address of the client. Please check #3121 for more details.
laursisask Analyst
Impact
We have a rate limit of 300 requests/5 minutes and 600 requests/25 hours per IP address on gem push request (
POST /api/v1/gems). It was possible to brute force the OTP code using this endpoint if the attacker uses an IP rotator.Impact
The brute force of OTP code could be escalated to account takeover if the attacker already has access to the user's password or if they could hijack the user session with some alternate method.
Patches
We have added a rate limit of 300 req / 5 min and 900 req / 25 hr on each user account. This limit can't be bypassed by changing the IP address of the client. Please check #3121 for more details.