CodeWise Tornet Scooter Mobile App Excessive Authentication Attempts Vulnerability

A vulnerability exists in the CodeWise Tornet Scooter Mobile App version 4.75 on iOS and Android. The issue arises from an unknown function in the file '/TwoFactor', which improperly restricts excessive authentication attempts. This vulnerability can be exploited remotely, allowing for a brute-force attack on the application's two-factor authentication process. During testing, no rate limiting, CAPTCHA, or account lockout features were observed.

Impact

Exploitation of this vulnerability allows for successful brute-force attacks on the application's two-factor authentication, enabling unauthorized access to user accounts.

Reproduction

The vulnerability can be reproduced by sending POST requests to the '/TwoFactor' endpoint with a 4-digit verification code. This can be automated using a script that sends 30 concurrent requests, effectively brute-forcing the OTP verification process. Successful authentication can be confirmed by the response message indicating access to the home area.