Ahmad Halabi

Published On: 21 Aug 2020

Crashing Chat Bot System

Rate Limits
General | Web
---
MEDIUM VALID

I found this bug in `Maximum` program on Hackerone.

Description

The chatting endpoint was missing rate limit protection, allowing attackers to send unlimited messages to the CHAT bot and causing denial of service which in order will crash CHAT bot and deny it from responding to users.

Impact

DOS & Denying Chat Bot from responding to users.




Reproduction Steps

Step
1

Create a message, send it and intercept its request. Send that request to intruder.

Step
2

Launch the attack. So now the same request is being replayed and sent unlimited times.

Step
3

After a while you will notice a 500 response code.

Show Image

Step
4

CHAT bot system will crash. So now try to send a message to that CHAT bot. No reply will present.

Show Image

Timeline
.
Ahmad 11 Jul 2020

Initial Report

16 Jul 2020

Report Triaged

.
Ahmad 22 Jul 2020

Discussing Remediation with the Team

28 Jul 2020

Issue Resolved Fix confirmed by me.

21 Aug 2020

Bounty Awarded

VALID