Rallly Token Brute Force Vulnerability Leading to Account Takeover

A vulnerability exists in Rallly, an open-source scheduling and collaboration tool, in versions through 3.22.1. The issue arises from the application's token-based authentication system, where a 6-digit code is sent to users' email addresses for login. This 6-digit token has weak entropy and, combined with the lack of brute force protection, allows an unauthenticated attacker to guess the token within 15 minutes, the token's expiration time. By knowing a valid email address, an attacker can successfully brute force the token and take over the associated account. All users of the Rallly application are affected.

Impact

Exploitation of this vulnerability allows for unauthorized account access, enabling an attacker to impersonate the targeted user.

Reproduction

To reproduce this vulnerability, obtain a valid email address of a registered user. Initiate a login request by entering the email address, which will trigger the sending of a 6-digit token to that email. Once the token is received, it can be brute-forced by generating a list of all possible token combinations and using a tool like ffuf to automate the brute-forcing process. After successfully guessing the token, the next-auth.session-token cookie can be updated to authenticate as the targeted user.