No rate limit on sending magic link to sign-in in vriteio/vrite

Valid

Reported on

Sep 24th 2023

Description

It was observed that rate limit is not being implemented on sending magic link , which allows an attacker to spam the victims mailbox.

Affected URL : https://app.vrite.io/api/v1/auth.sendMagicLink?batch=1

Proof of Concept

1. Visit -> https://app.vrite.io/auth 
2. select option "continue with" magic link.
3. Now enter the mail & turn on your intercept and capture the request while you Click on Send magic link.
4. Now hit this request multiple times using intruder.
5. You will see that the mailbox has been spammed.

PoC

Video PoC : https://drive.google.com/file/d/1Ej4DoUFeFDUzD5bdhmQ6mpuWDgZMGbw9/view?usp=sharing

Impact

Due to lack of rate limit this may create an email spam attack or may put immense load on the mail server being used causing additional expenses for the organization. In certain condition it may led to application level DOS

We are processing your report and will contact the vriteio/vrite team within 24 hours. 2 months ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 months ago

We have contacted a member of the vriteio/vrite team and are waiting to hear back 2 months ago

A vriteio/vrite maintainer validated this vulnerability 2 months ago

Th3l0newolf [ Chinmay Divekar] has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Arek Nawo marked this as fixed in 0.3.0 with commit 187768 2 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

Arek Nawo published this vulnerability 2 months ago

to join this conversation