API Rate-Limit Restriction (3 request maximum) Bypass using Race Condition

[0xygyn-X]

Describe the bug
A clear and concise description of what the bug is.

Rate-limit restriction helps ensure a certain threshold is put in place to prevent excessive request.

AIxBlock has put in place a rate-limit restriction helps protect that prevent multiple requests within a time-frame.

The restriction put in place by AIxBlock is currently -- 3 requests on password reset before you get rate-limited (you will be forced to wait for 5 minutes before you can send your 4th request)

Leveraging on race-condition vulnerability on password reset endpoint, the restriction of 3 requests was bypassed allowing a threat actor to send more than 3 requests. Hence, the protection put in place was bypassed.

To Reproduce
Steps to reproduce the behavior:

1. Go to Account Settings --> Profile Settings --> Reset Password (Internal or External Password Reset Functionality)

2. Enter targeted email address --> Click on Confirm --> 'https://app.aixblock.io/user/reset-password'

3. Intercept the request using your preferred proxy tool (I used Burp suite proxy)

4. Forward the request to Turbo Intruder or your preferred -- concurrency / threading tools.

5. Use the payload below or modify it to suite your result (more threads / connection)

Expected behavior
As AIxBlock team has implemented Rate-Limit protection, also ensure Race-Condition (multi-threading / concurrency) protection is enforced. Ensure rate-limit restriction bypass via concurrency or multi-threading flaw is also enforced by using semaphore or thread locking methods.

Screenshots
Find attached video

Desktop (please complete the following information):

• OS: Ubuntu
• Browser: Firefox

[0xygyn-X]

Payload:

def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=30,
requestsPerConnection=300,
pipeline=True,
engine=Engine.THREADED
)

for x in range(30):
    engine.queue(target.req, x)

def handleResponse(req, interesting):
table.add(req)

Video:
https://drive.google.com/file/d/1Bjm1no8JtFn8l1WLTqNPDHNX96kiUeyq/view?usp=sharing
https://drive.google.com/file/d/1kMa2pD0rQAWNEIjo6a4c_rXV7TMZbr-z/view?usp=sharing

[tqphu27]

We acknowledge receipt of your submission. Thank you — we will respond within 7 days.
Please make sure you star the repository, fork it, and submit a valid Pull Request — submissions that don’t meet these requirements may be considered invalid.

[tqphu27]

Thank you for your submission.

We are closing and rejecting this report because it does not meet the required criteria for consideration. Specifically, you have not followed our mandatory disclosure process, which includes submitting a pull request to our public repository demonstrating the issue or proposed remediation.

Without this step, the report is not eligible for review or reward.

[0xygyn-X]

Hello @tqphu27 ,

PR raised. kindly review.

[tqphu27]

Hi @0xygyn-X , Thank for your submission.

Thank you for your detailed report on the Rate-Limit Bypass vulnerability in the password reset functionality, along with the clear video demonstrations. We appreciate your effort and findings.

After reviewing and successfully reproducing the issue, our team has confirmed the existence of this vulnerability. According to our program's evaluation framework, we have classified this vulnerability as LOW.

Reasoning for classification:
This vulnerability allows bypassing the request limit mechanism, which could lead to a "Mail Bombing" scenario (annoying the user and potentially affecting our email service costs or reputation). However, it does not directly lead to a risk of account takeover or the exposure of sensitive user data.

For a "Low" severity finding, the reward is $100 worth of token & rev-share, which will be distributed according to our program's published policy (on or after our TGE date).

We have passed this issue on to our development team to plan a fix by implementing proper locking mechanisms to handle concurrent requests.

Thank you for your contribution, and we look forward to receiving more reports from you in the future.