A month ago hacker Ahmed Hegazi identified a SQL injection vulnerability in a financial application, and since then has been focusing on bug bounty hunting.
Recently, whilst focusing on authentication system vulnerabilities in financial software, he discovered a brute-force vulnerability in app.finmark.com.
He discovered that the login page’s error messages exposed two significant weaknesses: username enumeration and explicit attempt tracking.
This enabled potential attackers to gauge their password guessing window as the application responded with a message saying the number of login attempts remaining when a valid email was entered with an invalid password.
The hacker said this structured feedback allows attackers to compile a list of legitimate accounts and attempt password breaches using a targeted dictionary of the five most commonly used passwords.