RajeshD.00986 (Customer) asked a question.
Lack of Rate Limitation on "Forgot Password" Functionality - Email Flooding
Hi Team,
we have an application built which takes an email as part of Forgot Password functionality.
This will hits the OKTA api authn/recovery/password and can be sent flooding emails.
Severity :
1.An attacker can automate the process of sending the forgot password emails
using scripts/tools as the application has no rate-limiting mechanism
implemented on the forgot password screen.
2. As the result, an attacker may exploit email forms as spam relays or for
flooding a certain user’s mailbox.
is there any fix on okta api side , can we restrict rate limiting specific to this api.
Hi @RajeshD.00986 (Customer) , Thank you for reaching out to the Okta Community!
If you are interested in reporting a vulnerability, please see the process and policy here.
As for decreasing the rate limits, I have not seen that done before.
I know that you can request exceptions to increase them for various business reasons and those exceptions are temporary. See this article for details.
I recommend opening a case to discuss the matter with my colleagues from the Support, I'm sure changes could be made if this is deemed an issue and no other solution is available for the use case.
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--
Ask Us Anything thru 9/3 Okta’s New MFA Requirement for Admin Console Access