- Status Closed
-
Assigned To
cbay - Private
Opened by zain812 - 12.11.2024
Last edited by cbay - 12.11.2024
FS#97 - Password Reset Email Flooding (No Rate Limiting)
__**Observation:**__
During testing of the web application, I found that the "Forgot Password" functionality
lacks proper rate-limiting. After entering my email address to reset my password multiple
times in quick succession (more than 61 times with intervals of 30-40 Seconds), the
system sent all the reset emails without any restriction. The application does not
implement a time-based threshold (e.g., 10 or 20 minutes) between password reset
requests, which makes it vulnerable to abuse
====Risk:==== Medium / (Sometimes or in some scenario/cases it will be High
====Impact:====
• mail Flooding: An attacker could repeatedly request password reset emails for any user account, causing their inbox to be flooded with reset emails. This can lead to denial of service for the victim by cluttering their inbox or, in some cases, may trigger email provider throttling, preventing legitimate emails from reaching the user.
• Account Lockout Exploit: Although this vulnerability does not directly lead to unauthorized access, it could be combined with social engineering attacks, where victims are confused by multiple reset emails, potentially tricking them into taking malicious actions.
__**Recommendation:**__
•Implement Rate Limiting: Add a limit on how many passwords reset requests can be sent within a specific time frame (e.g., 3 attempts per hour).
•Time-based Delay: Enforce a minimum time interval (e.g., 10-20 minutes) between consecutive password reset requests for the same email address.
•CAPTCHA Implementation: Add CAPTCHA to the password reset functionality to prevent automated abuse by bots.
•Alert Mechanism: Notify users if multiple password reset requests are made in a short period to alert them to potential malicious activity.
•Logging & Monitoring: Implement logging to monitor multiple reset attempts and detect any abuse patterns, which can trigger additional security measures.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
https://security.alwaysda ta.com/task/89
that was previously by me lol
but that time i used i temp eamil so i didnt recived any thing from your side
<del>**Email Bombing / Denial of Service (DoS):**</del>
An attacker could flood a victim’s email inbox with password reset emails, effectively rendering their email service unusable.
This is particularly problematic for users relying on their email for essential communication, causing reputational damage to the platform.
**Facilitation of Social Engineering Attacks:**
By generating password reset emails en masse, an attacker could use them to trick users into believing their account is under attack.
This may lead to successful phishing attacks where users provide sensitive information to attackers.
==== Indirect Account Compromise:====
If the victim has a weak email password, attackers could perform a parallel brute-force attack on the victim’s email account to intercept the password reset link.
This could lead to unauthorized access to the victim's account on your platform.
**Recommendation:**
To address this issue, I recommend implementing a rate limit for the password reset functionality. Specifically:
Limit password reset requests to 1 request per account per 5-10 minutes.
If multiple requests are made in quick succession, display a generic error message like:
arduino
"Too many requests. Please try again in a few minutes."
Optionally, enforce IP-based rate limits to prevent abuse from the same source.
**Additional Suggestions:**
CAPTCHA: Introduce a CAPTCHA mechanism after a certain number of failed requests to block automated attacks.
Generic Responses: Use generic confirmation messages (e.g., "If this email exists in our system, a reset link has been sent.") to prevent account enumeration.