Insufficient Granularity of Access Control in erudika/scoold


Reported on

Aug 1st 2021

✍️ Description

Bypass rate limit and sent unlimited email to any email address.

💥 Impact

Attacker can sent unlimited email to any mail address . Many email service provider has limited email sending like 10000 email per month . If you exeed that limit then you will be extra charged . So, using this attack attacker can exeed that limit and company will be charged extra money.

🕵️‍♂️ Proof of Concept

During email verification resending there is not rate limit , which allow attacker to sent unlimited email to any mail address .

  1. First create a account in with any email address . Now sent bellow request to send unlimited verification email
POST /signin/register/resend HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
DNT: 1
Connection: close
Cookie: drift_campaign_refresh=6120fffa-1159-4d14-9bb5-eff77e486c0a; drift_aid=fa0512b1-8634-43c6-8abc-7febc322ef3f; driftt_aid=fa0512b1-8634-43c6-8abc-7febc322ef3f; G_ENABLED_IDPS=google
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

Here in this postdata change email parameter value to vicitm email.
Now sent this request unlimited time and victim email address will received unlimited verification email . Also attacker can make this as python code and send unlimited email

You should set rate limit there to prevent this

We have contacted a member of the erudika/scoold team and are waiting to hear back a year ago
Alex Bogdanovski validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alex Bogdanovski marked this as fixed with commit 043be6 a year ago
Alex Bogdanovski has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation