Email Verification Bypass Leads To Account Takeover in bookwyrm-social/bookwyrm

Valid

Reported on

Jul 12th 2022

Hello maintainer, i noticed that there is no ratelimit protetcion on https://book.dansmonorage.blue/confirm-email endpoint, so we can perform bruteforce attack

Steps to reproduce:

Create a acount with victims email id
When the account is created, its ask for email confirmation via validating OTP on https://book.dansmonorage.blue/confirm-email
Enter any random OTP and try to perfrom bruteforce attack

Patch recommendation:

Add ratelimit protecion on POST confirmation email endpoints/parameters

Impact

Pre-Account Takeover

We are processing your report and will contact the bookwyrm-social/bookwyrm team within 24 hours. a month ago

We have contacted a member of the bookwyrm-social/bookwyrm team and are waiting to hear back a month ago

We have sent a follow up to the bookwyrm-social/bookwyrm team. We will try again in 7 days. a month ago

Akshay Ravi

commented 23 days ago

Researcher

Hello @maintainer any update on this?

We have sent a second follow up to the bookwyrm-social/bookwyrm team. We will try again in 10 days. 20 days ago

Mouse Reeve validated this vulnerability 15 days ago

Akshay Ravi has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Mouse Reeve confirmed that a fix has been merged on 7bbe42 15 days ago

The fix bounty has been dropped

Akshay Ravi

commented 15 days ago

Researcher

@maintainer are you happy to assign a CVE? please confirm, then only admin can move further

Akshay Ravi

commented 14 days ago

Researcher

@Mouse Revee @maintainer please confirm are you happy to assign a CVE?😇

Akshay Ravi

commented 13 days ago

Researcher

@admin can you pls assign a CVE for this?

Jamie Slome

commented 11 days ago

Admin

Same as the other report, we will wait for the maintainer to give approval for a CVE before proceeding. I would recommend leaving a comment on the commit asking if the maintainer is happy for huntr.dev to publish one.

Akshay Ravi

commented 10 days ago

Researcher

@admin maintainer has requested a CVE via github here is the link, check that: https://github.com/bookwyrm-social/bookwyrm/security/advisories/GHSA-jvp3-mqv8-5rjw

So can we assign a CVE here?

Jamie Slome

commented 9 days ago

Admin

I've dropped a message on the other report asking the maintainer :)

Jamie Slome

commented 8 days ago

Admin

CVE-2022-2651 has been assigned and is all sorted!

to join this conversation

We are processing your report and will contact the bookwyrm-social/bookwyrm team within 24 hours. a month ago

We have contacted a member of the bookwyrm-social/bookwyrm team and are waiting to hear back a month ago

We have sent a follow up to the bookwyrm-social/bookwyrm team. We will try again in 7 days. a month ago

Akshay Ravi

commented 23 days ago

Researcher

Hello @maintainer any update on this?

We have sent a second follow up to the bookwyrm-social/bookwyrm team. We will try again in 10 days. 20 days ago

Mouse Reeve validated this vulnerability 15 days ago

Akshay Ravi has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Mouse Reeve confirmed that a fix has been merged on 7bbe42 15 days ago

The fix bounty has been dropped

Akshay Ravi

commented 15 days ago

Researcher

@maintainer are you happy to assign a CVE? please confirm, then only admin can move further

Akshay Ravi

commented 14 days ago

Researcher

@Mouse Revee @maintainer please confirm are you happy to assign a CVE?😇

Akshay Ravi

commented 13 days ago

Researcher

@admin can you pls assign a CVE for this?

Jamie Slome

commented 11 days ago

Admin

Akshay Ravi

commented 10 days ago

Researcher

@admin maintainer has requested a CVE via github here is the link, check that: https://github.com/bookwyrm-social/bookwyrm/security/advisories/GHSA-jvp3-mqv8-5rjw

So can we assign a CVE here?

Jamie Slome

commented 9 days ago

Admin

I've dropped a message on the other report asking the maintainer :)

Jamie Slome

commented 8 days ago

Admin

CVE-2022-2651 has been assigned and is all sorted!

to join this conversation