Chaturbate: Rate limit missing at room login

2018-07-23T12:48:31
ID H1:385381
Type hackerone
Reporter lucky_sen
Modified 2018-09-30T07:42:38

Description

Hello there,

User are able to protect there broadcasting with password, so only password granted visitor can login to broadcast room. I notice that rate limit are missing at the endpoint /roomlogin/user/ which enable me to brute force on password field.

I made 1k+ request but still server not block my request.

Steps to reproduce:-

  1. Create two account A and B. protect A's room with password.
  2. Login to B's account and access A's room with random password.
  3. Send the request to intruder and run till you get right password

  4. {F323575}

Impact

Attacker are able to access some one private room.

Thanks!