API Loophole: How I Bypassed CAPTCHA to Create Unlimited Accounts

API Loophole: How I Bypassed CAPTCHA to Create Unlimited Accounts

The total bounty awarded was $500 for two bypasses ($250 each).

Here’s another past discovery that I’m sharing as part of my findings.

Security vulnerabilities come in many forms, often lurking in the overlooked corners of an application. In one of my old findings, I discovered an interesting bug that allowed me to bypass CAPTCHA restrictions and create unlimited accounts on a platform.

The application had implemented CAPTCHA on the normal registration page to prevent automated account creation through brute force attacks. This is a common security measure used to limit spam and abuse. However, while exploring the API endpoints, I found an interesting behavior in /v3/users/.

Upon testing, I noticed that the /v3/users/ endpoint accepted a GET request and provided authenticated user information.

I attempted to retrieve information about other users using the same API endpoint by making a POST request with parameters like user_id and account_id, but received no useful response. Then, I tried using an email parameter with a random email address, and the response indicated that a password is required. This led me to believe it might be a login endpoint where I could attempt brute-forcing credentials. However, I later realized that it wasn’t a login endpoint but rather the account creation endpoint. That’s when it struck me—this could still be a vulnerability since the main registration endpoint had CAPTCHA protection to prevent creation of multiple accounts

I sent a POST request to the /v3/users/ endpoint with email and password parameters. To my surprise, the request was processed successfully, allowing me to create multiple accounts without any CAPTCHA restrictions.

While further exploring the platform, I found another API endpoint, /api/v2/users, that exposed user details. Similar to the previous finding, I attempted to send a POST request with email and password parameters. Once again, I was able to create an unlimited number of accounts without CAPTCHA restrictions, further demonstrating the lack of security enforcement at the backend level.

Navigate to the normal registration page and confirm that CAPTCHA is enforced.Use a Proxy Tool such as Burp Suite to send a POST request to /v3/users/.Include the following parameters in the request body:email: your desired email addresspassword: your chosen password

4. Submit the request and observe the response.

5. Verify that the account is created successfully without needing to solve a CAPTCHA.

6. Repeat the process multiple times to confirm unrestricted account creation.

7. Repeat steps 2–6 for /api/v2/users/ to verify the same vulnerability exists.

At this point, I had effectively bypassed the CAPTCHA mechanism, which was meant to limit mass registrations. The normal registration page enforced CAPTCHA, but the direct API call did not. This meant that an attacker could automate account creation at scale, leading to spam, fake accounts, and potential abuse of the platform.

Although the main goal was to retrieve other users’ details using their email addresses, the server responded with an error stating that a password was required. At that moment, I immediately recognized the possibility of another bug. Having spent a significant amount of time on this target, I had developed a deeper understanding of its behaviour.

This vulnerability could have led to a large-scale abuse of the platform, allowing malicious actors to flood the system with fake accounts.

Apologies for any mistakes. I revisit my article from time to time, and if I find any errors, I make sure to correct them. Thank you!

#BugBounty #CyberSecurity #APIsecurity #EthicalHacking