Email Verification Bypass Leads To Account Takeover in bookwyrm-social/bookwyrm

Valid

Reported on

Jul 12th 2022


  1. Hello maintainer, i noticed that there is no ratelimit protetcion on https://book.dansmonorage.blue/confirm-email endpoint, so we can perform bruteforce attack

Steps to reproduce:

  1. Create a acount with victims email id
  2. When the account is created, its ask for email confirmation via validating OTP on https://book.dansmonorage.blue/confirm-email
  3. Enter any random OTP and try to perfrom bruteforce attack

Patch recommendation:

  1. Add ratelimit protecion on POST confirmation email endpoints/parameters

Impact

  1. Pre-Account Takeover
We are processing your report and will contact the bookwyrm-social/bookwyrm team within 24 hours. a month ago
We have contacted a member of the bookwyrm-social/bookwyrm team and are waiting to hear back a month ago
We have sent a follow up to the bookwyrm-social/bookwyrm team. We will try again in 7 days. a month ago
Akshay Ravi
23 days ago

Researcher


Hello @maintainer any update on this?

We have sent a second follow up to the bookwyrm-social/bookwyrm team. We will try again in 10 days. 20 days ago
Mouse Reeve validated this vulnerability 15 days ago
Akshay Ravi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mouse Reeve confirmed that a fix has been merged on 7bbe42 15 days ago
The fix bounty has been dropped
Akshay Ravi
15 days ago

Researcher


@maintainer are you happy to assign a CVE? please confirm, then only admin can move further

Akshay Ravi
14 days ago

Researcher


@Mouse Revee @maintainer please confirm are you happy to assign a CVE?😇

Akshay Ravi
13 days ago

Researcher


@admin can you pls assign a CVE for this?

Jamie Slome
11 days ago

Admin


Same as the other report, we will wait for the maintainer to give approval for a CVE before proceeding. I would recommend leaving a comment on the commit asking if the maintainer is happy for huntr.dev to publish one.

Akshay Ravi
10 days ago

Researcher


@admin maintainer has requested a CVE via github here is the link, check that: https://github.com/bookwyrm-social/bookwyrm/security/advisories/GHSA-jvp3-mqv8-5rjw

So can we assign a CVE here?

Jamie Slome
9 days ago

Admin


I've dropped a message on the other report asking the maintainer :)

Jamie Slome
8 days ago

Admin


CVE-2022-2651 has been assigned and is all sorted!

to join this conversation