No rate limit in stats api token endpoint

Disclosed: 2018-10-19 17:41:22 By maximus-decimus-meridius To chaturbate

Low

Vulnerability Details

##Brute force on statsapi endpoint to view stats of an user## ## Steps To Reproduce: 1. Stats api token can be generated at https://chaturbate.com/statsapi/authtoken/ https://chaturbate.com/statsapi/?username=hackeronetestchat&token=**vulnerable** I've used my profile and and my token to check brute force The correct token returned with 200 ok status ## Impact An attacker could view the stats of an user

Actions

View on HackerOne

Report Stats

Report ID: 412526
State: Closed
Substate: resolved
Upvotes: 11

No rate limit in stats api token endpoint

Vulnerability Details

Actions

Report Stats

Share this report