Brute-Force Attack Vulnerability: Missing Rate Limiting and Lockout
Closed this issue · 0 comments
Describe the bug
Currently, the login code verification process lacks a rate-limiting mechanism and an account lockout feature after a certain number of failed attempts. This makes the system vulnerable to brute-force attacks where an attacker can repeatedly try different login codes until they succeed.
To Reproduce
Steps to reproduce the behavior:
- Go to the login page and enter an email address to receive a login code.
- Submit incorrect login codes multiple times (e.g., more than 3 times).
- Observe that there is no limit to the number of attempts and no account lockout is triggered.
Expected behavior
After a predefined number of incorrect login attempts (e.g., 3 attempts), the account should be temporarily locked for a specified duration (e.g., 15 minutes). Further attempts should be blocked until the lockout period expires.
Actual behavior
The system currently allows unlimited login attempts without locking the account, making it susceptible to brute-force attacks.
Screenshots
Below is a screenshot showing a script running multiple failed login attempts without triggering a lockout or rate-limiting:
