๐Ÿšจ API Verification Code Brute Force Vulnerability

As part of my security research on YesWeHack and HackerOne programs, I discovered a vulnerability in an API endpoint that handles email verification codes.

๐Ÿ“Œ Issue Summary

The API endpoint for verifying user email addresses via the verification_code parameter does not implement rate limiting or protection mechanisms. This allows an attacker to brute force the verification code for any given email address, potentially leading to account takeover or bypassing the email verification process.

None
None
None

๐Ÿ” Steps to Reproduce

  1. Go to the registration page: https://mysrc.group/register_main
  2. Register using a temporary/disposable email.
  3. Intercept the verification request in Burp Suite.
  4. Send a request with an invalid verification code to the following endpoint:
GET /api/user/auth/email?e_mail=user@example.com&verification_code=$invalidcode$

5. In Burp Repeater, send multiple requests with different verification_code values.

6. Observe that the server responds with:

"message": "Verification code is incorrect, please re-enter.",
"status_code": "4345"
  • and does not enforce any delay, block, or rate limit.

Continue brute forcing until the correct code is guessed โ€” at which point the response will be:

"message": "Succeeded",
"status_code": "0"

Proof of Concept

  • Invalid Request Example:
GET /api/user/auth/email?e_mail=user@example.com&verification_code=000123 HTTP/1.1
Host: test.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Accept: application/json, text/plain, */*
Connection: keep-alive

Outcome: Over 100 distinct requests were sent without any blocking, delay, or CAPTCHA challenge. Eventually, a valid verification code was guessed, granting unauthorized account verification.

๐Ÿ’ฅ Vulnerability Impact

  1. No Rate Limiting: Attackers can rapidly guess verification codes.
  2. Account Takeover Risk: Unauthorized access is possible if the correct code is guessed.
  3. Privacy & Security Risks: User data is at risk due to weak verification controls.

๐Ÿ“ข Recommendation

  • Implement rate limiting for verification attempts.
  • Introduce CAPTCHA after several failed attempts.
  • Use longer, more complex verification codes with expiration times.
None
Thanks For Reading โšกโค๏ธ

#BugBounty #CyberSecurity #API #Vulnerability #ResponsibleDisclosure #YesWeHack #HackerOne