ReddAPI: No Captcha or rate limit on Login Page

ID H1:6697
Type hackerone
Reporter exploitprotocol
Modified 2014-04-23T15:21:13


Hello ReddApi Security Team,

Vulnerability Detail's:-

Login page can be brute forced due to lack of captcha or backoff


An attacker can bruteforce for a particular username and can get a possibly a account takeover.


I have made a proof of concept video of the same:- The above video is unlisted.

Countermeasure:- Implement a Captcha

With Regard's Aditya Agrawal