Summary
We have a rate limit of 100 req / 10 min per IP address on the request to verify the OTP code. It was possible to brute force the OTP code if the attacker uses an IP rotator.
Impact
The brute force of OTP code could be escalated to account takeover if the attacker already has access to the user's password or if they could hijack the user session with some alternate method.
Patches
We have added a rate limit of 300 req / 5 min and 900 req / 25 hr on each user account. This limit can't be bypassed by changing the IP address of the client. Please check 5c534e2 for more details.
laursisask Analyst
Summary
We have a rate limit of 100 req / 10 min per IP address on the request to verify the OTP code. It was possible to brute force the OTP code if the attacker uses an IP rotator.
Impact
The brute force of OTP code could be escalated to account takeover if the attacker already has access to the user's password or if they could hijack the user session with some alternate method.
Patches
We have added a rate limit of 300 req / 5 min and 900 req / 25 hr on each user account. This limit can't be bypassed by changing the IP address of the client. Please check 5c534e2 for more details.