User are able to protect there broadcasting with password, so only password granted visitor can login to broadcast room. I notice that rate limit are missing at the endpoint
/roomlogin/user/ which enable me to brute force on password field.
I made 1k+ request but still server not block my request.
Send the request to intruder and run till you get right password
Attacker are able to access some one private room.