ReddAPI: No Captcha or rate limit on Login Page

2014-04-09T11:22:33
ID H1:6697
Type hackerone
Reporter exploitprotocol
Modified 2014-04-23T15:21:13

Description

Hello ReddApi Security Team,

Vulnerability Detail's:-

Login page can be brute forced due to lack of captcha or backoff

Impact:-

An attacker can bruteforce for a particular username and can get a possibly a account takeover.

POC:-

I have made a proof of concept video of the same:- https://www.youtube.com/watch?v=zX0jXkMqiCo The above video is unlisted.

Countermeasure:- Implement a Captcha

With Regard's Aditya Agrawal