Password reset endpoint lacked per-account rate limiting

Resolved

Rate Limiting

Enumeration

Published 12/12/2024 • Discovered 12/10/2024

Summary

An attacker could attempt password reset for a known email repeatedly, potentially enabling enumeration of valid accounts and causing inbox noise.

Impact

Increased probability of account enumeration and nuisance traffic. No account takeover without additional factors.

Remediation

Added per-identity and per-IP rate limits, introduced exponential backoff, and standardized response messages to avoid oracle behavior.

Timeline

Key events from report to disclosure

12/10/2024

Report received

12/10/2024

Acknowledged

12/11/2024

Fix deployed

12/12/2024

Public disclosure

References

Technical Details

Metadata and scoring

Severity

Medium

CVSS

6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Reporter

Alex Thompson (@alext)

Products

Auth Service

Components

Password reset, Email OTP

CWE

CWE-307, CWE-799