Account Takeover because of the mis-configuration on the Password Reset Page

### Summary `https://api.account.opendoor.ltd` has no rate-limit on the password reset's verification page. By this, I can take over any account. All I need to know is victim's email address. ### Step to reproduce 1. There is an endpoint -> `POST /v1/verification-code/forgot-password` which will take POST data in the format ``` { "email": "[email protected]", "device_id": "helloworld" } ``` Give your email address and any device_id you need. 2. And there is another endpoint -> `POST /v1/verification-code/auth` where the user needs to enter the verification code sent to his email address so that he can reset his password. This endpoint accepts the data as `{"code": "TEST","device_id": "helloworld"}`. Just give the same device_id that you've given in step 1. 3. I've observed that you're generating a 4 character verification code with the combination of upper-case alphabets and the numbers. So I need to generate all the possible combinations of that 4 character verification code. That will be a total of 1679616 combinations. For the sake of demonstration, I'll just take around 1000 combinations to do the attack. But it is possible to run all the 1679616 combinations on cloud services like AWS, etc, easily. 4. After you make the request on `POST /v1/verification-code/forgot-password endpoint` for the victim's email address, visit `POST /v1/verification-code/auth endpoint` and enter the same `device_id entered` on `POST /v1/verification-code/auth` 5. Send the request to Intruder. 6. Add the attack point at the verification code. 7. In the payloads section, add around 1000 combinations of 4 character verification codes. Add the correct verification code at the end so that we can prove that the bug exists. And set the thread count to a high value so that the attack will be a bit faster. 8. Start the attack. After all those requests are made, you'll notice that, for the correct verification code, the response will be 200 OK while the wrong verification code's response will give you a 401 Unauthorized.