Mayswind ezBookkeeping Brute Force Vulnerability Allowing Privilege Escalation

A privilege escalation vulnerability has been identified in Mayswind ezBookkeeping version 0.7.0. This issue arises from the absence of rate limiting on the login and backup code verification endpoints, allowing remote attackers to brute-force user credentials and two-factor authentication (2FA) backup codes. Exploitation of this vulnerability could lead to unauthorized access to user accounts and sensitive data.

Impact

Exploitation of this vulnerability chain could result in unauthorized access to user accounts, allowing attackers to bypass two-factor authentication, access sensitive user data, and make unauthorized changes to account information, such as email addresses.

Reproduction

To reproduce this vulnerability, log into the application and intercept the login request. The absence of rate limiting can be exploited by sending multiple password attempts. After successfully logging in, navigate to the 2FA settings and use the intercepted token to brute-force backup codes. Once a valid backup code is found, it can be used to gain full access to the account, including the ability to change the registered email address.

Remediation

The latest daily build of ezBookkeeping includes rate limiting for password and token verification attempts. Users are advised to update to this version.