Back to Hall of Fame
Bug report :No Rate Limiting on “Forgot Password” Endpoint
Security Misconfiguration • Aug 25, 2025
Researcher: Vedant lastname
Description
Reported by:
Hi, I'm Vedant tanaji vhatkara, a security researcher passionate about identifying business logic flaws and improving user safety across digital platforms. I discovered this issue during routine testing and believe it poses a serious risk to user accounts and platform integrity.
Video poc : https://drive.google.com/file/d/1bbW_grNQFmQwU3IIAegb5wSINaO1fiaH/view?usp=drive_link
Description: The “Forgot Password” endpoint does not enforce rate limiting, allowing unlimited password reset requests from a single IP address or user account. This opens up multiple avenues for abuse.
Impact
Impact:
1] As an attacker, I can repeatedly trigger password reset requests to flood users' inboxes, causing frustration or locking them out of their accounts.
2] As an attacker, I can perform brute-force attempts on verification tokens or one-time passwords, increasing the chances of unauthorized access.
3] As an attacker, I can enumerate valid usernames or email addresses by analyzing system responses to my reset requests.
4] As an attacker, I can abuse the system to send bulk SMS or emails, racking up massive service costs for the platform.
5]As an attacker, I can overload the backend infrastructure, potentially causing denial-of-service (DoS) and disrupting service for all users.
Suggested Fix
Recommended Mitigation:
Implement rate limiting per IP and user (e.g., max 3 requests per hour).
Add CAPTCHA or other bot mitigation controls.
Monitor and alert on unusual password reset traffic patterns.