Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

No rate-limit in SERVER_SECURITY_CHECK

Low
B
Bumble
Submitted None
Actions:
View on HackerOne
Reported by c0rte

Vulnerability Details

Technical details and impact analysis

Improper Authentication - Generic
Hi, When you login in another Ip address Badoo will ask to confirm mobile number to authenticate. The problem is that there is no limit of tries. This make this feature useless since it can be brute forced. In the video you can see at request 56 we found the right number which lead to authentication. Response when found right number: ``` HTTP/1.1 200 OK Server: nginx Date: Sat, 08 Oct 2016 14:29:46 GMT Content-Type: application/json Connection: close X-BMA-Server: www33 X-User-id: 471337266 X-Session-id: meba0dcc7466641ca981034c8c2df3090 X-Static-Version: 10735 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Timing-Allow-Origin: https://eu1.badoo.com Content-Length: 494 {"$gpb":"badoo.bma.BadooMessage","message_type":6004,"version":1,"message_id":13,"body":[{"$gpb":"badoo.bma.MessageBody","client_security_check_result":{"$gpb":"badoo.bma.ClientSecurityCheckResult","complete":true,"success":true},"message_type":528},{"$gpb":"badoo.bma.MessageBody","server_error_message":{"$gpb":"badoo.bma.ServerErrorMessage","error_code":"15","error_message":"Security check required","error_id":"captcha_10","error_eta":394,"type":15},"message_type":1}],"responses_count":2} ``` Wrong number: ``` HTTP/1.1 200 OK Server: nginx Date: Sat, 08 Oct 2016 14:29:42 GMT Content-Type: application/json Connection: close X-BMA-Server: www88 X-User-id: 471337266 X-Session-id: meba0dcc7466641ca981034c8c2df3090 X-Static-Version: 10735 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Timing-Allow-Origin: https://eu1.badoo.com Content-Length: 528 {"$gpb":"badoo.bma.BadooMessage","message_type":6004,"version":1,"message_id":13,"body":[{"$gpb":"badoo.bma.MessageBody","client_security_check_result":{"$gpb":"badoo.bma.ClientSecurityCheckResult","complete":true,"success":false,"error_text":"DÃgitos errados."},"message_type":528},{"$gpb":"badoo.bma.MessageBody","server_error_message":{"$gpb":"badoo.bma.ServerErrorMessage","error_code":"15","error_message":"Security check required","error_id":"captcha_10","error_eta":394,"type":15},"message_type":1}],"responses_count":2} ``` Thanks, Diogo Real

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Bounty

$140.00

Submitted

Weakness

Improper Authentication - Generic