Chaturbate: No rate limit in stats api token endpoint

2018-09-21T17:44:18
ID H1:412526
Type hackerone
Reporter chilliesssssss7
Modified 2018-10-19T17:41:22

Description

Brute force on statsapi endpoint to view stats of an user

Steps To Reproduce:

  1. Stats api token can be generated at https://chaturbate.com/statsapi/authtoken/ https://chaturbate.com/statsapi/?username=hackeronetestchat&token=vulnerable

I've used my profile and and my token to check brute force

The correct token returned with 200 ok status

Impact

An attacker could view the stats of an user