In the world of cybersecurity, vulnerabilities can lead to severe consequences for organizations and their users. A recent discovery of a No Rate Limiting vulnerability in the PickMyCareer web application has raised alarms due to its potential for abuse, including database hijacking and SMS flooding. This blog will explore the details of this vulnerability, its impact, and the importance of implementing proper security measures to mitigate such risks.

Vulnerability Name: No Rate Limiting

Description: The absence of rate limiting in the registration endpoint allows an attacker to create an excessive number of accounts rapidly — over 10,000 accounts in less than a minute. This vulnerability can be exploited to hijack database storage and take advantage of SMTP mail services, leading to significant financial losses.

Rate limiting is a crucial security mechanism that restricts the number of requests a user can make to a server within a specific time frame. Without this safeguard, applications become vulnerable to various types of attacks, including brute-force attacks, denial-of-service (DoS) attacks, and account creation abuse. By failing to implement rate limiting, organizations expose themselves to significant risks that can compromise their systems and data integrity.

The impacts of not implementing rate limiting can be severe and varied:

1. Database Hijacking: Attackers can create numerous spam accounts, overwhelming the database. This excessive load can lead to data loss or corruption, making it difficult for legitimate users to access their accounts or for administrators to manage the system effectively.
2. Financial Loss: Exploiting SMTP services for spamming can result in substantial financial repercussions for organizations. Email service providers may impose penalties or throttle sending capabilities if they detect unusual activity originating from their servers. Additionally, organizations may face reputational damage if users receive spam or phishing emails appearing to come from their domain.
3. Resource Exhaustion: The system may become unresponsive due to excessive resource consumption caused by the creation of numerous accounts. This can lead to service outages and negatively impact user experience, driving customers away from the platform.
4. Potential for Further Exploitation: Once attackers gain access through spam accounts, they may exploit these accounts for additional malicious activities, such as launching phishing campaigns or conducting fraud.

To demonstrate how this vulnerability can be exploited, follow these steps:

1. Create an Account: Start by creating a legitimate account on the PickMyCareer web application.
2. Capture the Request: Use a tool like Burp Suite or any HTTP proxy tool to capture the HTTP request made during account creation.
3. Open Burp Collaborator: Copy the link from Burp Suite and replace the email field in the HTTP POST packet with your Burp Collaborator link.
4. Modify Username: Change the username value each time you send a request to create multiple accounts rapidly.

By following these steps, an attacker can exploit the lack of rate limiting to flood the application with spam accounts.

In light of this critical vulnerability, it is essential for organizations like PickMyCareer to take proactive measures:

1. Implement Rate Limiting: Ensure that rate limiting is applied at various levels within your application — particularly on account creation endpoints — to prevent abuse. For example, limit the number of account creation requests from a single IP address within a specified time frame.
2. Conduct Security Audits: Regularly audit web applications for vulnerabilities related to account creation and other critical functionalities. This includes testing for rate limiting issues as part of routine security assessments.
3. Educate Users: Inform users about the risks associated with creating multiple accounts and encourage them to report any suspicious activity they encounter on the platform.
4. Monitor Traffic Patterns: Implement logging and monitoring mechanisms to detect unusual patterns in account creation or other user activities that could indicate an ongoing attack.
5. Implement CAPTCHA: Use CAPTCHA mechanisms during account creation processes to deter automated scripts from creating multiple accounts quickly.

The discovery of a No Rate Limiting vulnerability in PickMyCareer highlights ongoing risks associated with web application security, particularly regarding resource management and user trust. By following best practices and remaining vigilant, organizations can better safeguard their systems against potential threats.

If you want to learn more about identifying and mitigating vulnerabilities related to rate limiting or discuss security best practices, feel free to reach out. Together, we can work towards enhancing the security posture of web applications and protecting sensitive information from exploitation.

For further inquiries or more information about this vulnerability, you can reach out to

POC by: @karthithehacker
Mail: [email protected]
Website: https://www.karthithehacker.com/

If you’re interested in our VAPT service, contact us at [email protected] or [email protected].

For enrolling my cybersecurity and Bugbounty course,

WhatsApp +91 82709 13635.

For VAPT services, reach out at [email protected] or [email protected].

Thank you

Karthikeyan.V