No rate limit on sending magic link to sign-in in vriteio/vrite

Valid

Reported on

Sep 24th 2023


Description

It was observed that rate limit is not being implemented on sending magic link , which allows an attacker to spam the victims mailbox.

Affected URL : https://app.vrite.io/api/v1/auth.sendMagicLink?batch=1

Proof of Concept

1. Visit -> https://app.vrite.io/auth 
2. select option "continue with" magic link.
3. Now enter the mail & turn on your intercept and capture the request while you Click on Send magic link.
4. Now hit this request multiple times using intruder.
5. You will see that the mailbox has been spammed.

PoC

Video PoC : https://drive.google.com/file/d/1Ej4DoUFeFDUzD5bdhmQ6mpuWDgZMGbw9/view?usp=sharing

Impact

Due to lack of rate limit this may create an email spam attack or may put immense load on the mail server being used causing additional expenses for the organization. In certain condition it may led to application level DOS

We are processing your report and will contact the vriteio/vrite team within 24 hours. 5 months ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 5 months ago
We have contacted a member of the vriteio/vrite team and are waiting to hear back 5 months ago
vriteio/vrite maintainer validated this vulnerability 5 months ago
th3l0newolf has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Arek Nawo marked this as fixed in 0.3.0 with commit 187768 4 months ago
The fix bounty has been dropped
This vulnerability has now been published 4 months ago
to join this conversation