MyTube Password Verification Endpoint Account Lockout Vulnerability

A vulnerability in MyTube versions prior to 1.8.72 allows an unauthenticated attacker to lock out administrator and visitor accounts from password-based authentication. This is achieved by exploiting three publicly accessible password verification endpoints, which share a single file-backed login attempt state. The vulnerability arises because failed authentication attempts on one endpoint increase the failed attempt counter and cooldown period for all endpoints, creating a denial-of-service effect on password login. Once the maximum lockout of 24 hours is reached, the attacker can indefinitely maintain the lockout by sending additional failed attempts.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition on password-based authentication for affected accounts, causing prolonged login difficulties.

Reproduction

The vulnerability can be reproduced by sending repeated invalid authentication requests to any of the three password verification endpoints. This can be done using a script that automates the process of sending these requests, effectively increasing the failed attempt counter and causing account lockouts.

Remediation

Users can update to MyTube version 1.8.72 or later, where this vulnerability has been fixed.