Allocation of Resources Without Limits or Throttling in stevearc/pypicloud

Valid
Reported on May 27th 2021

✍️ Description

No rate limit on the login portal of pypicloud.

🕵️‍♂️ Proof of Concept

Here is the POC video.
https://drive.google.com/file/d/1XjUDfHgVtTQfuvxzI4SFEsF5utQe5ZFz/view?usp=drivesdk

403 when the password is incorrect 200 when the password is correct

💥 Impact

By this vulnerability, an attacker is capable of brute-force user accounts and gain access which could lead to account loss and could also do further damage.