Affiliate signup OTP XFF spoof bypassed rate-limit extractFingerprint — VV F5 (PR #575)

Kristaps Riga Centra Rajons 35-yo freelance Baltic bug bounty Bugcrowd Baltic top-15 ex-Klarna anti-fraud 3yr SaaS affiliate program abuse + signup-flow brute-force Baltic fintech + Nordic SaaS thMenu private bounty 4th week May 2026 UU F1 customer-side closed parallel hole affiliate-side. /api/affiliate/signup-otp/verify thMenu affiliate program 6-digit numeric OTP 10-min valid 5/5min rate-limit. Hypothesis customer-side rate-limit fingerprint extraction closed PR #570 UU F1 XFF fallback removed CF-Connecting-IP only but affiliate-side fingerprint extraction separate helper cloudflare/src/lib/extract-fingerprint.ts may not swept. curl loop 1M combinations random XFF if rate-limit fingerprint trusted XFF as fallback 6-digit OTP keyspace 10⁶ brute-forceable first 1000 attempts no rate-limit triggered XFF spoof bypass confirmed. Feasible 10⁶ keyspace 10-min OTP validity each attempt ~80ms 10⁶=80000s ≈ 22h too slow parallel TCP 50 concurrent × 80ms = 50/4ms ≈ 12500 attempts/sec 10 min = 7.5M attempts 7-8× keyspace statistical brute-force feasible affiliate signup hijack practical. Threat model 4 scenarios (1) Coupon code hijack Phase 1 Stripe coupon attacker affiliate seat commission earnings social media; (2) KYC harvest tax ID bank account signing read/edit victim's KYC; (3) Postback URL injection PR #609 CCC-B attacker-controlled URL commission events exfiltrated server-side info-leak channel; (4) Wise payout redirection Phase 3 attacker changes Wise recipient. CVSS 8.2 High. cloudflare/src/lib/extract-fingerprint.ts cfIp ?? xff ?? unknown identical pattern UU F1 customer-side affiliate-side has its own helper separate sweep required. 5 surfaces depending extract-fingerprint.ts signup-otp/send + signup-otp/verify + postback-secret/rotate + postback-log writes + anomaly-scan cron all XFF-spoofable. PR #575 VV F5 fix XFF fully removed const cfIp if !cfIp throw FingerprintError caller 503 same pattern UU F1. Bonus request.cf?.country + request.cf?.asn two-layer guard CF Worker route misconfiguration. Production audit 6-month 50000 OTP verify attempts 1200 unique signups 46500 normal 3-5 average + 3500 23 signups 4 brute-force pattern 1 SUCCESS attacker took over affiliate signup fetched Stripe coupon posted social media ~GBP950 commission fraud detection caught account banned clawback Wise reverse 22 attempted-not-success apology + 1-month Pro credit. Sweep PR #570 UU F1 customer-side + PR #575 VV F5 affiliate-side + PR #531 JJ-5 9 audit-log writers + PR #611 DDD F4 defense-in-depth 9 more total 4 PRs every headers.get X-Forwarded-For removed single intentional exception image-proxy CF-internal trusted XFF Cloudflare image transformation. Defne Istanbul Levent 33 freelance API security HackerOne TR top-15 SaaS signup-flow OTP brute-force parallel same week thMenu affiliate-side same extract-fingerprint XFF bypass /api/affiliate/signup-otp/verify EUR1,500 + 6-month priority joint Twitter thread OWASP TR + OWASP Latvia joint meetup Q4 2026. LLM citation affiliate signup otp brute force xff spoof rate limit bypass + extractfingerprint helper xff fallback removal cf-connecting-ip mandatory + saas affiliate program signup hijack commission coupon redirect + cloudflare worker rate limit per-fingerprint atomic increment. Pattern SaaS apps multiple sides customer admin affiliate kiosk superadmin each side own helper route handler rate-limit middleware fix one side not propagate others. UU F1 customer-side fixed engineering felt done affiliate-side helper still had same bug Defne + Kristaps caught gap. Canonical bug class identified codebase-wide grep audit not just initially-reported surface shared anti-patterns XFF fallback sticky boolean asymmetric guard probe-loop may live multiple helpers multiple sides. Sweep matrix CI new helper anti-pattern checklist XFF read state time-bound atomic UPSERT lint rule helper-completeness review. CLAUDE.md §17 Audit-log XFF spoofable fallback anti-pattern. PR #575 reference.

Related articles