No rate limiting in changing room subject.
State Resolved (Closed)
Disclosed publicly 2018-10-09T03:59:44.566Z
Reported To
Weakness none
Bounty $100
Collapse


Timeline
submitted a report to Chaturbate .
2018-10-03T12:23:54.508Z

Before i shed more light on this: I noticed i can create over 200 apps but i don't really know how valid that was.
I want to report that there is no rate limiting in changing room subject.
Attacker scenrio:

  1. Navigate to https://chaturbate.com/b/your username
  2. Try to create a room subject and capture the request.
  3. Send to intruder and repeater it numerous times.
  4. I tried this 144 times and it was succesful Thanks Below is a video as a poc

Impact

bruteforcing.

Regards,
Frans

williammmllc Activities::ReportSeverityUpdated
2018-10-04T21:27:35.376Z


williammmllc Activities::BugTriaged
2018-10-04T21:27:50.544Z
Thanks for the report, there's no real harm here but we'll add a limit.


Activities::BountyAwarded
2018-10-04T21:28:23.798Z


cunn Activities::Comment
2018-10-04T22:22:52.444Z
Thanks for the bounty. I'm grateful sir


williammmllc Activities::BugResolved
2018-10-06T00:05:46.827Z
This is now resolved, can you confirm? Thanks again for the report!


cunn Activities::Comment
2018-10-06T06:48:04.331Z
Good one sir. i can confirm the fixed. Not even a bypasss can break it. Good job. can we disclose this?


williammmllc Activities::AgreedOnGoingPublic
2018-10-07T00:17:41.070Z


cunn Activities::Comment
2018-10-07T00:22:11.645Z
Yeah


williammmllc Activities::ManuallyDisclosed
2018-10-09T03:59:44.479Z