Weblate: No Rate Limitting at Change Password

ID H1:223694
Type hackerone
Reporter mga_bobo
Modified 2017-05-17T14:07:51


Hello Team,

I found out that you didnt implement a Rate Limitting on Change Password.

Scenario This Scenario is Limited. But some of Programs here consider this. Victim Forgot to logout his/her account in Cafe/Internet Computer Shops. Attacker saw the Account that it is not Logged out having a knowledge with this vulnerability. Attacker dont have any idea about Victim's Password and allowing him to bruteforce the Victim's Password via Change Password.

Proof Of Concept {F179198}