Allocation of Resources Without Limits or Throttling in stevearc/pypicloud

Reported on May 27th 2021

✍️ Description

No rate limit on the login portal of pypicloud.

🕵️‍♂️ Proof of Concept

Here is the POC video.

403 when the password is incorrect 200 when the password is correct

💥 Impact

By this vulnerability, an attacker is capable of brute-force user accounts and gain access which could lead to account loss and could also do further damage.