Back to Hall of Fame
Bug Report: Missing Rate Limiting on Account Deletion Email Trigger
Security Misconfiguration • Aug 25, 2025
Researcher: Vedant lastname
Description
Reported by:Vedant Vhatkar ; Security researcher with a keen interest in web application vulnerabilities and user protection. Passionate about uncovering flaws that could impact system integrity or user experience.
Summary
The account deletion flow on the website lacks proper rate limiting on the endpoint that sends deletion confirmation emails. This allows an attacker to repeatedly trigger email notifications, potentially leading to email flooding, denial of service, or user harassment.
Video poc: https://drive.google.com/file/d/1_z2T_hb-hDk2fb5Gq-w1PJb7UJXw5XT8/view?usp=drive_link
Impact
Impact
Email Bombing: A malicious actor could flood a user’s inbox with deletion requests.
Denial of Service: The mail server may be overwhelmed, affecting other users.
User Harassment: Repeated deletion prompts could confuse or distress users.
Security Risk: If chained with other vulnerabilities (e.g., CSRF or weak authentication), this could escalate into a more serious exploit.
Suggested Fix
Suggested Remediation
Implement rate limiting on the endpoint that triggers deletion confirmation emails.
Consider throttling based on IP address, user ID, or request frequency.
Add CAPTCHA or other abuse-prevention mechanisms if appropriate.