Summary
No functionality to limit OTP rates exists, allowing an attacker with valid credentials to breach 2-factor authentication
Details
Because the function to limit the rate of OTP does not exist, an attacker with valid credentials or a malicious user who commits internal fraud can break through the two-factor authentication and hijack the account. This is because the otpLogin mutation does not implement One Time Password rate limiting.
Impact
Attackers who obtain valid credentials through phishing, the dark web, or other means break through authentication, resulting in account takeover, unauthorized access to sensitive information, and content modification and so on.
YusukeJustinNakajima Reporter
Summary
No functionality to limit OTP rates exists, allowing an attacker with valid credentials to breach 2-factor authentication
Details
Because the function to limit the rate of OTP does not exist, an attacker with valid credentials or a malicious user who commits internal fraud can break through the two-factor authentication and hijack the account. This is because the otpLogin mutation does not implement One Time Password rate limiting.
Impact
Attackers who obtain valid credentials through phishing, the dark web, or other means break through authentication, resulting in account takeover, unauthorized access to sensitive information, and content modification and so on.