Believe it or not, straight to jail! Just kidding, great writeup. I know it's not groundbreaking, but does surprise me how many products don't bother with rate limiting controls.
i actually think a quick-fix was setting a rate limit. which sadly thwarted my brute-forcing, but did not actually fix the race condition itself. though it's a very fair "kid, stop it" response until they fixed the race condition.
Rate limiting is a stopgap, not a fix. I would have expected a transaction lock in Postgres (SELECT FOR UPDATE) to serialize the requests. Or a Redis mutex if they are worried about database contention.
ibigio|1 month ago
storystarling|1 month ago