Hello Guyzssss,
I am not in bug bounty so much, But while using one of the yandex service, I found that there was no Rate Limit Deployed for login attempts on their IMAP Authentication.
Means user can perform multiple attempts on their IMAP Service, Which is responsible to access yandex mail on other accounts.Just like others.
POC
1) Intercepted request(parameters) for adding yandex as imap authentication from 3rd party website.
2) Setup some payloads with one valid password
3) Intruder attack( Difference between valid and invalid password attempt
Issue was acknowledge by Yandex Security Team.
No comments:
Post a Comment