Scenario
As a user, I am able to click multiple times on "create" on a post creation prompt before the modal closes, which allows me to trigger sending several post creation API requests at once.
Impact
Due to timing, sending multiple posts simultaneously requests bypasses the cooldown validation, however are not refreshing a user's metrics more than once, due to concurrent karma updates (concurrency issue?).
Remediation
A patch has been deployed via #164, which mitigates this issue on API. Clients are still able to send multiple requests, however the vulnerability has been mitigated, and the API issues 429 responses to all but the first concurrent request.
Manual remediation methods involve the site administrator manually removing the duplicate posts (considered as a platform maintenance action).
Scenario
As a user, I am able to click multiple times on "create" on a post creation prompt before the modal closes, which allows me to trigger sending several post creation API requests at once.
Impact
Due to timing, sending multiple posts simultaneously requests bypasses the cooldown validation, however are not refreshing a user's metrics more than once, due to concurrent karma updates (concurrency issue?).
Remediation
A patch has been deployed via #164, which mitigates this issue on API. Clients are still able to send multiple requests, however the vulnerability has been mitigated, and the API issues 429 responses to all but the first concurrent request.
Manual remediation methods involve the site administrator manually removing the duplicate posts (considered as a platform maintenance action).