Bookwyrm v0.4.3 - Authentication Bypass

vendor:

bookwyrm

by:

Akshay Ravi

9.8

CVSS

CRITICAL

Email Verification Bypass

287

CWE

Product Name: bookwyrm

Affected Version From: <= 4.0.3

Affected Version To: <= 4.0.3

Patch Exists: NO

Related CWE: CVE-2022-2651

CPE: 2.3:a:bookwyrm-social:bookwyrm:0.4.3

Metasploit:

Other Scripts:

Platforms Tested: MacOS Monterey

2022

Bookwyrm v0.4.3 – Authentication Bypass

Email Verification Bypass Leads To Account Takeover in bookwyrm-social/bookwyrm v0.4.3 Due To Lack Of Ratelimit Protection. Create a acount with victims email id. When the account is created, its ask for email confirmation via validating OTP. Enter any random OTP and try to perfrom bruteforce attack and if otp matches, We can takeover that account.

Mitigation:

Implement rate limit protection for OTP validation endpoint.

Source

Exploit-DB raw data:

# Exploit Title: Bookwyrm v0.4.3 - Authentication Bypass
# Date: 2022-08-4
# Exploit Author: Akshay Ravi
# Vendor Homepage: https://github.com/bookwyrm-social/bookwyrm
# Software Link: https://github.com/bookwyrm-social/bookwyrm/releases/tag/v0.4.3
# Version: <= 4.0.3
# Tested on: MacOS Monterey
# CVE: CVE-2022-2651
# Original Report Link: https://huntr.dev/bounties/428eee94-f1a0-45d0-9e25-318641115550/

Description: Email Verification Bypass Leads To Account Takeover in bookwyrm-social/bookwyrm v0.4.3 Due To Lack Of Ratelimit Protection

# Steps to reproduce:

1. Create a acount with victims email id
2. When the account is created, its ask for email confirmation via validating OTP	
Endpoint: https://site/confirm-email
3. Enter any random OTP and try to perfrom bruteforce attack and if otp matches, We can takeover that account