Bypassing IP-Based OTP rate limits: A Bug bounty hunter’s guide
1 min read
Summary
According to a report by a cybersecurity company, more than 50% of popular password-based multi-factor authentication (MFA) applications are vulnerable to being bypassed due to their reliance on IP-based rate limits.
These limits are designed to restrict the number of requests IPs can make in a given period, such as OTP codes for MFA, in order to protect applications from brute-force or spam attacks.
However, the report demonstrates that attackers are easily able to get around these restrictions by using custom scripts and key misconfigurations, rendering these measures virtually useless.
This finding is especially significant given the current landscape of cyber-security, where ransomware gangs continue to exploit vulnerabilities in MFA protections to gain entry to corporate networks.
It underscores the imperative for companies to continually test their security defences, and to adopt a ‘defence-in-depth’ strategy to prevent cyber-attacks.