Capgo - Rate Limit Bypass via User-Controlled device_id Parameter

An attacker sends multiple POST requests to the `channel_self` endpoint while rotating the `device_id` parameter in each request [ref_id=1]. Since the rate limit key is the attacker-controlled `device_id`, each new value resets the rate-limit counter, allowing many requests per second. Each successful request triggers a database write via `upsertChannelDevicePg`, flooding the `channel_devices` table with junk records and potentially causing database exhaustion [ref_id=1].

The vulnerability resides in `supabase/functions/_backend/plugins/channel_self.ts`, where rate limiting logic used the user-controlled `device_id` as the rate-limit key. Because `device_id` is supplied directly by the client and not authenticated, an attacker can rotate this value to bypass the intended rate limit.

The advisory states that the Capgo team patched the issue to prevent bypass of the rate limit [ref_id=1]. The patch does not show the exact code change, but the fix presumably binds the rate-limit key to a server-authenticated identifier (such as a session token or API key) instead of the client-supplied `device_id`, ensuring that rotating the parameter does not reset the rate-limit counter.