Blogin Weak Verification Code Generation and Rate Limiting Vulnerability Allowing Account Takeover

A vulnerability exists in Blogin (weijiang1994 university-bbs) in commit 9e06bab430bfc729f27b4284ba7570db3b11ce84, dated January 13, 2025. The issue arises from a weak verification code generation process that uses cryptographically insecure random number generators, coupled with a lack of rate limiting and session binding. This combination allows attackers to perform brute-force attacks on verification codes without authentication, potentially leading to account takeover through password resets or other authentication bypass methods.

Impact

Exploitation of this vulnerability can result in unauthorized account access, allowing an attacker to take over a user's account by resetting the password or bypassing authentication mechanisms.

Reproduction

To reproduce this vulnerability, initiate the password reset process to receive a verification code. Then, send multiple POST requests to the '/reset-confirm/' endpoint with different verification codes. The absence of rate limiting on code submissions, combined with the small code space of six digits, enables successful brute-forcing of the verification codes in a short period. Once the correct code is identified, it can be used to reset the password and gain full access to the account.

Remediation

It is recommended to implement rate limiting on verification code requests, bind codes to user sessions or one-time tokens, and use a more secure random number generator for code creation.