Request to Reclassify Account takeover by OTP Brute-Force Vulnerability from P5 to P2 #474
Description
Description:
Dear Bugcrowd VRT Team,
I respectfully request the reclassification of the OTP brute-force vulnerability from its current P5 rating ("Server Security Misconfiguration > Email Verification Bypass") to a higher priority, specifically P2, under the "Server Security Misconfiguration > OAuth misconfiguration > Account takeover"
Current Classification:
Category: Server Security Misconfiguration
Subcategory: Email Verification Bypass
Priority: P5
Why I Disagree:This classification underestimates the impact of the vulnerability. The ability to brute-force OTPs without any rate-limiting or lockout mechanisms directly leads to account takeover, resulting in severe consequences such as financial loss, reputational damage, and unauthorized access to sensitive user data.
Reasons for Reclassification:
- Absence of Rate-Limiting or Lockout: There are no mechanisms to restrict brute-force attacks on OTPs, allowing attackers to systematically guess OTPs and effectively bypass the second authentication factor.
- Static or Long-Lived OTPs: OTPs being static or valid for extended periods increases the attack window for adversaries.
3.Ease of Attack Automation: Attackers can automate OTP guessing using tools like Burp Suite or simple scripts, enabling rapid account compromise.
4.Direct Account Takeover: Successfully guessing the correct OTP grants full control over the user's account, which is a high-impact outcome.
5.Precedent: A similar case was published on Medium (https://medium.com/@gb452011/account-takeover-by-otp-brute-force-8d808a421802), where Bugcrowd recognized and rewarded such a vulnerability with a higher priority, indicating that these issues are considered more severe in other contexts.
Proposed Classification:
Category: Server Security Misconfiguration
Subcategory: OAuth misconfiguration
Variant: Account takeover
Priority: P2
Impact:Account takeover vulnerabilities are typically rated higher due to their significant harm potential. In this case, the vulnerability allows attackers to brute-force OTPs and compromise any account, constituting a clear bypass of the second authentication factor.
I kindly request a reevaluation and reclassification to reflect the severity of this vulnerability. I am happy to provide additional details or participate in further discussions.
Best regards,
Yusif Kerimov