Bug Reports

Lack of Rate Limiting in Forget Password Functionality
Vulnerability Report: Lack of Rate Limiting in Forget Password Functionality Summary: During a security assessment of the authentication system on https://app.hoory.com/ , a lack of rate limiting was discovered in the "Forget Password" functionality. This vulnerability allows an attacker to potentially launch brute force or automated attacks on user accounts, leading to unauthorized access. Vulnerability Details: Endpoint: The forget password functionality can be accessed via the URL https://app.hoory.com/auth/password . Absence of Rate Limiting: Upon inspection of the request and response traffic, it was observed that there is no rate limiting mechanism implemented for the "Forget Password" feature. This means that an attacker could programmatically send numerous password reset requests without encountering any restrictions. Potential Impact: Credential Guessing: Attackers could leverage this vulnerability to guess user passwords through automated or brute force methods. Account Takeover: Successful exploitation of this vulnerability could lead to unauthorized access to user accounts, potentially compromising sensitive information stored within the application. Reputational Damage: The exploitation of this vulnerability could result in reputational damage for the organization, as users may lose trust in the security of the platform. Recommendations: Implement Rate Limiting: Introduce rate limiting mechanisms to restrict the number of forget password requests that can be made within a certain time period. This can help mitigate the risk of brute force attacks. Monitoring and Logging: Implement robust monitoring and logging mechanisms to track forget password requests and detect suspicious patterns indicative of brute force attacks. User Notifications: Notify users of any forget password requests made on their accounts, allowing them to take appropriate action if they did not initiate the request. Security Awareness: Educate users about the importance of choosing strong, unique passwords and utilizing additional security measures such as multi-factor authentication.
10
·

complete

Broken Link Hijacking on Instagram
Summary: Upon investigation, it has been discovered that the Instagram username associated with the website " hoory.com " was available for takeover due to a broken link redirecting to a non-existent Instagram page. The original link, https://www.instagram.com/hoory_com/?hl=en , led to an error message indicating that the page was not available. Procedure: Identifying the Issue: While visiting the website hoory.com , it was noted that the Instagram link provided at the bottom of the page redirected to an invalid Instagram page. Confirmation of Broken Link: Upon clicking the Instagram link, users were directed to https://www.instagram.com/hoory_com/?hl=en , where they encountered an error message stating that the page was not available. Username Takeover: To mitigate the issue and prevent misuse, the username "hoory_com" was claimed by accessing the Instagram account associated with the website and successfully changing the username. Conclusion: The broken link redirecting to an unavailable Instagram page presented a security vulnerability known as "Broken Link Hijacking." By taking over the username associated with the website, the potential for misuse or exploitation of the abandoned Instagram handle has been mitigated. Recommendation: Regularly monitor and update website links to ensure they remain functional and lead to the intended destinations. Implement security measures on social media accounts to prevent unauthorized access or takeovers. Conduct routine audits of online presence to identify and rectify vulnerabilities promptly. Action Taken: The Instagram username associated with hoory.com has been successfully claimed and updated to prevent potential misuse or exploitation. Further steps may be taken to enhance security measures and prevent similar incidents in the future.
6
·

complete

Load More