- Status Closed
-
Assigned To
cbay - Private
Opened by Zain721 - 25.10.2024
Last edited by cbay - 28.10.2024
FS#89 - Vulnerability Report: Missing Rate Limiting on Password Reset Page (Potential Brute-force Exposure)
Hello Alwaysdata Security Team,
I hope this message finds you well.
I am reaching out as part of your Vulnerability Disclosure Program to report a potential security issue I found, titled "Lack of Rate Limiting on Password Reset Page".
===
Vulnerability Details:===
The password reset page (https://admin.alwaysdata.com/password/lost/) currently does not have rate limiting enabled, which allows repeated attempts without any restrictions.i send the request to Intruder and set my email and set payload around 80 times and the server give me the 80 linkes on my eamil (forgot password emial link)
Impact:
Without rate limiting, the password reset functionality is vulnerable to brute-force attacks. Attackers could repeatedly attempt to exploit this page, potentially compromising user accounts and exposing sensitive information.
Recommendation:
To mitigate this issue, I recommend implementing a rate limit on the password reset endpoint to restrict the number of requests allowed within a specific timeframe. Adding additional security layers, like CAPTCHA, after several failed attempts would further strengthen account security.
Thank you for reviewing this report. Please feel free to reach out if you need additional information.
kindly co-ordinate with me on this email,
zainulabideen78626@gmail.com
Best Regards,
Zain-Ul-Abideen
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Kindly contact me through me email because i cant frequently see this poratl
zainulabideen78626@gmail.com
Hello,
I don't see how sending many password reset emails would help an attacker gain access to anything. You didn't explain at all.
Kind regards,
Cyril
<del>**Email Bombing / Denial of Service (DoS):**</del>
An attacker could flood a victim’s email inbox with password reset emails, effectively rendering their email service unusable.
This is particularly problematic for users relying on their email for essential communication, causing reputational damage to the platform.
**Facilitation of Social Engineering Attacks:**
By generating password reset emails en masse, an attacker could use them to trick users into believing their account is under attack.
This may lead to successful phishing attacks where users provide sensitive information to attackers.
==== Indirect Account Compromise:====
If the victim has a weak email password, attackers could perform a parallel brute-force attack on the victim’s email account to intercept the password reset link.
This could lead to unauthorized access to the victim's account on your platform.
Recommendation: To address this issue, I recommend implementing a rate limit for the password reset functionality. Specifically:
Limit password reset requests to 1 request per account per 5-10 minutes.
If multiple requests are made in quick succession, display a generic error message like:
arduino
"Too many requests. Please try again in a few minutes."
Optionally, enforce IP-based rate limits to prevent abuse from the same source.
Additional Suggestions: CAPTCHA: Introduce a CAPTCHA mechanism after a certain number of failed requests to block automated attacks.
Generic Responses: Use generic confirmation messages (e.g., "If this email exists in our system, a reset link has been sent.") to prevent account enumeration.