alwaysdata All Projects: Tasklist

	ID	Status	Summary	Opened by
	~~253~~	Closed	~~[No Rate Limit] Unlimited password-reset requests on ht~~ ...	trinity	Task Description Vulnerability The password-reset endpoint https://admin.alwaysdata.com/password/lost/ accepts unlimited requests for any e-mail address without rate limiting, CAPTCHA, or cooldown. Impact - An attacker can flood any user’s mailbox with hundreds/thousands of password-reset e-mails - Targeted denial-of-service against a specific user - PTP (Password-reset Token Poisoning) & Password Reset Abuse - Loss of trust and bypassing of normal security controls Steps to Reproduce 1. Go to https://admin.alwaysdata.com/password/lost/ 2. Enter any valid e-mail address that has an alwaysdata account 3. Capture the request in Burp Suite / Intruder 4. Send it to Intruder, remove all payloads except the e-mail parameter 5. Start the attack with multiple threads → The victim instantly receives a flood of password-reset e-mails (see attached PoC video/screenshots) Proof of Concept (Attach your video or screenshots here – click “Choose File”) Recommended Fix Implement at least one of the following on the password-reset endpoint: - Strict per-IP + per-e-mail rate limiting (e.g., max 3–5 requests per hour) - CAPTCHA (hCaptcha/reCAPTCHA) - Temporary account lockout after X attempts Researcher: TrinityXploit

~~253~~

Closed

~~[No Rate Limit] Unlimited password-reset requests on ht~~ ...

Task Description

Vulnerability
The password-reset endpoint https://admin.alwaysdata.com/password/lost/ accepts unlimited requests for any e-mail address without rate limiting, CAPTCHA, or cooldown.

Impact
- An attacker can flood any user’s mailbox with hundreds/thousands of password-reset e-mails
- Targeted denial-of-service against a specific user
- PTP (Password-reset Token Poisoning) & Password Reset Abuse
- Loss of trust and bypassing of normal security controls

Steps to Reproduce
1. Go to https://admin.alwaysdata.com/password/lost/ 2. Enter any valid e-mail address that has an alwaysdata account
3. Capture the request in Burp Suite / Intruder
4. Send it to Intruder, remove all payloads except the e-mail parameter
5. Start the attack with multiple threads
→ The victim instantly receives a flood of password-reset e-mails (see attached PoC video/screenshots)

Proof of Concept
(Attach your video or screenshots here – click “Choose File”)

Recommended Fix
Implement at least one of the following on the password-reset endpoint:
- Strict per-IP + per-e-mail rate limiting (e.g., max 3–5 requests per hour)
- CAPTCHA (hCaptcha/reCAPTCHA)
- Temporary account lockout after X attempts

Researcher: TrinityXploit

Showing tasks 1 - 1 of 1 Page 1 of 1

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task