Reddit: No rate limit on password reset leads to email enumeration at gateway-production.dubsmash.com

Summary: i found brute force on gateway-production.dubsmash.com . find valid usersnames and emails no rate limit Impact: attacker could collect all usernames and valid emails through brute force on forget password Steps To Reproduce: open gateway-production.dubsmash.com and forget email and enter...

Reddit: [dubsmash] Long String in 'shoutout' Parameter Leading Internal server Error on Popular hastags , Community and User Profile

Summary: If the user input a long string in the 'shoutout' parameter of the 'CreateVideo' API then all the APIs where this video is supposed to appear eg: hashtag API, community API, and user profile API will throw 'internal server error' in the response. This will cause a denial of service attac...

Reddit: [dubmash] Lack of authorization checks - Update Sound Titles

Summary: During the security testing, it has been observed that the UpdateSound api is vulnerable to IDOR. It allows an attacker to edit the victim's sound track titles. This vulnerability can be exploited using the sound track's uuid in the vulnerable request. This id is publicly known. Steps To...

Dubsmash - Customized SSL, Dangerous filesystem permissions, MIT license vulnerabilities

HackApp vulnerability scanner discovered that application Dubsmash published at the 'play' market has multiple vulnerabilities...