Chaturbate: No rate limit in stats api token endpoint

ID H1:412526
Type hackerone
Reporter chilliesssssss7
Modified 2018-10-19T17:41:22


Brute force on statsapi endpoint to view stats of an user

Steps To Reproduce:

  1. Stats api token can be generated at

I've used my profile and and my token to check brute force

The correct token returned with 200 ok status


An attacker could view the stats of an user