Email Verification Bypass Leads To Account Takeover in bookwyrm-social/bookwyrm


Reported on

Jul 12th 2022

  1. Hello maintainer, i noticed that there is no ratelimit protetcion on endpoint, so we can perform bruteforce attack

Steps to reproduce:

  1. Create a acount with victims email id
  2. When the account is created, its ask for email confirmation via validating OTP on
  3. Enter any random OTP and try to perfrom bruteforce attack

Patch recommendation:

  1. Add ratelimit protecion on POST confirmation email endpoints/parameters


  1. Pre-Account Takeover
We are processing your report and will contact the bookwyrm-social/bookwyrm team within 24 hours. a month ago
We have contacted a member of the bookwyrm-social/bookwyrm team and are waiting to hear back a month ago
We have sent a follow up to the bookwyrm-social/bookwyrm team. We will try again in 7 days. a month ago
Akshay Ravi
23 days ago


Hello @maintainer any update on this?

We have sent a second follow up to the bookwyrm-social/bookwyrm team. We will try again in 10 days. 20 days ago
Mouse Reeve validated this vulnerability 15 days ago
Akshay Ravi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mouse Reeve confirmed that a fix has been merged on 7bbe42 15 days ago
The fix bounty has been dropped
Akshay Ravi
15 days ago


@maintainer are you happy to assign a CVE? please confirm, then only admin can move further

Akshay Ravi
14 days ago


@Mouse Revee @maintainer please confirm are you happy to assign a CVE?😇

Akshay Ravi
13 days ago


@admin can you pls assign a CVE for this?

Jamie Slome
11 days ago


Same as the other report, we will wait for the maintainer to give approval for a CVE before proceeding. I would recommend leaving a comment on the commit asking if the maintainer is happy for to publish one.

Akshay Ravi
10 days ago


@admin maintainer has requested a CVE via github here is the link, check that:

So can we assign a CVE here?

Jamie Slome
9 days ago


I've dropped a message on the other report asking the maintainer :)

Jamie Slome
8 days ago


CVE-2022-2651 has been assigned and is all sorted!

to join this conversation