Bypassed controls are absent controls
Leanstral 1.5 bypassed CAPTCHA and rate limiting. Those controls score requests, not identity, the only boundary that refuses credential replay.
Leanstral 1.5 is a credential stuffing escalation running on a publicly available tool. It targets compromised data from smaller businesses. It is being used to bypass CAPTCHAs and rate limiting. Those are the facts. My position is narrow and I will not move off it: the controls most teams point to as their defense against automated login abuse did not stop this behavior, which means against this class of attack they are ineffective.
Publicly available changes the threat profile before any technical detail matters. A tool that anyone can obtain removes skill and access from the list of things standing between an attacker and a login endpoint. Weaponized means it is being pointed at authentication in production, not sitting in a research repo. The stated target is compromised data from smaller businesses. Whether that describes the source of the credentials, the systems under attack, or both is not confirmed, and I will not resolve it by guessing.
CAPTCHA and rate limiting are the two controls named in the facts, and they are named because they were bypassed. That is the entire reason this is worth a briefing. A control that is bypassed is not a degraded control. It is an absent one. Number of accounts, number of businesses, duration of activity, and the specific bypass method are not confirmed. None of that changes the position. The controls did not hold.
What failed is observable at the authentication endpoint. Login flows protected by CAPTCHA and rate limiting did not block the automated credential stuffing traffic those controls exist to block. The presence of the controls did not change the outcome at the point of request. That is the failure, stated as behavior and nothing more.
CAPTCHA is a control designed to separate automated clients from human ones at the point of request. Rate limiting is a control designed to cap the volume of attempts an origin can make in a window. The facts state both were bypassed. I am not describing how, because how is not confirmed. I am describing what is directly supported: traffic that these controls exist to stop reached the endpoint behind them.
What is not confirmed is the scope of that failure. The number of login attempts, the number of endpoints, the number of accounts reached, and whether any authentication succeeded are not stated. Absence of that data is a condition, not a gap to fill. I will treat it as one. The confirmed failure is the control layer. The outcome behind it is not confirmed.
Credential stuffing does not attack the credential. It submits credential pairs that already exist. A compromised username and password pair, replayed against a login endpoint, is structurally identical to a legitimate login attempt at the point of authentication. The endpoint is asked a question it is built to answer when the pair matches. That is the mechanism, and it is why the target of the attack was never the CAPTCHA or the rate limit.
CAPTCHA and rate limiting sit in front of that question. They evaluate request signals and volume. CAPTCHA attempts to decide whether the client is automated. Rate limiting decides whether an origin has made too many attempts too fast. Neither evaluates whether the credential being submitted is legitimate, because that is not what they are built to do. They are friction and volume controls placed in front of an identity decision they never participate in. Against replayed credential pairs that are valid in form, their intended function is already aimed at the wrong boundary.
In this case they did not reach their intended function at all. The facts state they were bypassed. So the failure has two layers, and only one of them is a design limitation. The design limitation is that these controls do not validate identity. The operational failure is that the tool removed even the friction they provide. How the bypass was achieved is not confirmed. That it was achieved is stated. A control that is bypassed and a control that was never aimed at the right boundary produce the same condition at the endpoint: compromised pairs get to ask the credential question, and neither named control was in a position to refuse them.
Credential stuffing is automated by definition. It submits pairs in volume, and a tool performs the submission. The two named controls are the only two things in the facts positioned to impose cost on that volume. CAPTCHA imposes a per request check meant to separate automated clients from human ones. Rate limiting imposes a per origin ceiling on attempts inside a window. Both were bypassed. The cost each control exists to impose was not imposed. What that produces at the endpoint is automated replay proceeding without the friction and without the ceiling that were placed there to constrain it.
Publicly available is the multiplier on that outcome. The tool removes skill and access from the set of things standing between an operator and the login endpoint. Combined with the bypass, the endpoint faces automated submission of well formed credential pairs with no enforced limit on how many arrive. Whether any of those pairs matched, and whether authentication succeeded, is not confirmed. The failure I am defining sits in front of that outcome. The request layer accepted and processed traffic the two controls exist to refuse, and it did so at machine volume because nothing in the named control set was in a position to slow it.
That joins the two layers from a single direction. The controls do not validate identity, which is a design limitation. The controls were bypassed, which is an operational failure. Together they mean the endpoint is answering the credential question at automated volume with neither the identity check that was never present nor the friction that was removed. If a system allows a request, at volume, it will receive that request at volume. A login endpoint that will answer for any well formed pair, with no enforced ceiling and no identity validation behind it, is a system that allows it. The scope of what arrived is not confirmed. The condition that let it arrive is.
The pattern is control placement against a boundary the attack does not cross. CAPTCHA scores the client. Rate limiting scores the origin. Neither scores the credential. The attack does not cross at the client boundary or the origin boundary. It crosses at the identity boundary, because a compromised pair that is valid in form is only refusable by something that evaluates the identity claim. Any endpoint defended primarily by controls that score the request rather than validate the identity carries this same exposure, independent of vendor, tuning, or how many such controls are stacked.
The mechanism is not specific to these two controls. It is specific to the class. A control that evaluates something other than credential legitimacy will pass any input that satisfies its actual test. Rate limiting passes traffic that stays under its ceiling. CAPTCHA passes clients that clear its check. Each is answering a question the attack does not ask. Add another control of the same class and you add another test the attacker only has to satisfy, not defeat at the identity layer. The exposure does not shrink by stacking controls that share the same blind spot.
That defines the exposed population precisely. The set of endpoints at risk is every login path whose defense is request scoring and volume capping. The set of actors able to run the mechanism is everyone who can obtain a publicly available tool. Neither set is a property of the stated target. The stated target is compromised data from smaller businesses, and whether that names the credential source, the systems under attack, or both is not confirmed. The exposure does not depend on resolving that. It is a property of the control model, and the control model is common.
CAPTCHA and rate limiting are not authentication controls and cannot be counted as the defense against credential replay. Against this class they are ineffective. I state that flatly because the facts state they were bypassed, and a control that is bypassed produced the same condition as a control that was never there. If the answer to credential stuffing on your login path is CAPTCHA and rate limiting, there is no control against credential stuffing on that path. There is friction, and in this case the friction was removed.
Identity is the boundary. The only thing that refuses a compromised but valid pair is a control that evaluates the identity claim and the context around it, and that evaluation has to be continuous rather than assumed from a request that cleared a CAPTCHA. What must now be true is that the credential question cannot be the last question the endpoint asks. Something behind it has to evaluate whether a well formed pair belongs to the party presenting it. That requirement is not a recommendation drawn from outside the facts. It follows directly from the mechanism. The named controls do not make that evaluation, so the evaluation is absent, so it has to be added or the endpoint stays open to exactly this.
Controls that are not enforced are not controls. The two named controls were bypassed, which means at the point of request they were not enforced, which means for this behavior they did not exist. The scope of accounts, endpoints, and attempts is not confirmed, and it does not need to be confirmed to act, because the condition is confirmed without it. The tool is public. Trust in a login path that rests on request scoring is trust extended to every party who can obtain that tool. Treat every request scoring control on an authentication path as absent until an identity boundary sits behind it and is enforced on every request.
See also: NordVPN for tunneled traffic when operating outside controlled networks.
#ad Contains an affiliate link.
Keep Reading
credential stuffingThe camera on the pole has a login screen
Flock cameras are credentialed endpoints inside a trust boundary. The exposure is not surveillance. It is credential stuffing against a standardized fleet.
jwtA valid JWT authenticates nothing
A JWT is a signed data structure, not authentication. The security lives in the verifier, not the token. Where validation is optional, the boundary is gone.
api securityYour API breach was working as designed
API authentication failing at the request level is a trust boundary failure. Inadequate identity validation makes lateral movement a design outcome.
Stay in the loop
New writing delivered when it's ready. No schedule, no spam.