bitaccess: Missing Rate limiting for sensitive actions (like "forgot password") and reCaptcha error.

2016-08-15T15:23:05
ID H1:159497
Type hackerone
Reporter brainspere402
Modified 2016-11-21T17:12:18

Description

Due to a bug on session management, Rate limit was not properly applied to some functionalities on the website, which let a bad actor to send unlimited password reset emails by bypassing the Recaptcha rate limit.

This was not a security issue, fixed to prevent spamming users.