Outline Email OTP Login Rate Limit Bypass Vulnerability Allowing Account Takeover

A vulnerability in Outline's email OTP login process for users without an Identity Provider has been identified. In versions 0.86.0 prior to 1.6.0, the application fails to invalidate OTP codes based on the frequency of invalid submissions. Instead, it relies on a rate limiter that can be bypassed, allowing unlimited OTP submissions within the code's 10-minute lifespan. This flaw enables attackers to brute force OTP codes, leading to account takeover.

Impact

Exploitation of this vulnerability allows for unauthorized account access via the OTP login mechanism.

Reproduction

The vulnerability can be reproduced by first generating a list of all possible OTP codes. Then, trigger the OTP code creation for the target user. After that, use the generated wordlist to brute force the OTP codes by sending requests to the email callback endpoint. If the instance is hosted on the cloud with multiple workspaces, exchange the received transfer token for a session token.

Remediation

Users should be advised to update to Outline version 1.6.0, where this vulnerability has been patched. Additionally, implement measures such as capping OTP attempt failures, enabling rate limiting by default, and enforcing account lockout after excessive invalid requests.