Risk Inside Tesla Bruteforce Protection - Lock Tesla Users Accounts

 Hello Friends,

Recently, I found a strange behaviour in Tesla site which is intentional but risky. Whenever I enter my email and try invalid passwords in login multiple times, tesla locked the account and say to reset the password.


 


Basically, When we enter wrong credentials many times on secure login, the account get locked temporary (for some time) for security purpose.
But,
Tesla lock the users account and say to reset the password.
So, the risk exist.

 
Attacker may enter anyone or any tesla user email and try invalid passwords multiple times like 20 to 30. After multiple invalid attempts, tesla lock that user account.When the user try to login in his tesla account with valid credentials, tesla say to reset the password.

Attacker can lock victim account by bruteforcing then victim need to reset the password to unlock the account. If victim have no access to the email connected to the tesla account than he can not recover the account.

The risk can be increased 

If Attacker perform Email Enumeration of tesla users 
then
Attacker can Lock many Tesla Users accounts and force them to reset their password.


Thanks for Reading

Comments

Popular posts from this blog

XSS in Zoho Mail

A Tricky Open Redirect

DoS on WAF Protected Sites by Abusing Cookie