Improper Authentication Throttling Allows Attacker-Controlled Account Lockouts

The application lacks sufficient safeguards in its authentication throttling logic. It permits arbitrary users to trigger lockouts on any account by submitting multiple failed login attempts using a known or guessed username. Because the system does not verify the request origin or impose intelligent rate-limiting tied to session/IP/fingerprint, an attacker can intentionally lock out legitimate users — impacting their access to the application. ## Steps To Reproduce: [add details for how we can reproduce the issue] 1. **Obtain a valid username** Usernames are publicly available via the platform's user directory, leaderboard, or other public features. 1. **Attempt multiple failed logins** Submit several login attempts using the valid username with incorrect passwords. 1. **Observe the account lockout** After a specific number of failed attempts (e.g., 5–10), the application prevents further login for that user ## PoC: Demonstrating that sending multiple failed login requests targeting a specific username results in that account being locked out. {F4378063} **I verified this by attempting to log into my own account from a different IP address using the correct password, and I was rate limited** — confirming that the lockout mechanism is based **solely on the username**, not on the **IP address** or **session context**. This demonstrates that an attacker can remotely prevent legitimate users from accessing their accounts without needing valid credentials, resulting in a loss of account availability for targeted individuals. ## Impact - Enables unauthorized control over another user's account availability. - May disrupt access for legitimate users, causing support overhead, trust degradation, or account compromise attempts.