Mail.ru: BRUTE FORCE ATTACK

2016-06-22T03:46:36
ID H1:146368
Type hackerone
Reporter md-firdous
Modified 2016-06-27T09:20:58

Description

Hi I've found that the user is allowed to perform brute force in https://m.my.mail.ru/cgi-bin/login https://babel.mail.ru/login/ , I've tried to input wrong password 30 times , then input my correct password in my 31st attempt and it is successfully login, a malicious minded user can always continue guessing an account password.

Steps to reproduce

Go to https://m.my.mail.ru/cgi-bin/login & https://babel.mail.ru/login/ then click login button and you can now perform brute force attack.

Regards WHITE DRAGON