Discovered a Unique Email Verification Bypass

mo9khu93r
3 min readOct 30, 2024

--

Bypassing email verification restriction

Uncovering an Email Verification Bypass Vulnerability on Example.com 🔍

Email verification is a fundamental security measure that ensures only verified users access their accounts and interact with essential features. However, during a recent bug bounty effort, I discovered a vulnerability on Example.com that allowed users to bypass email verification and perform unauthorized actions on their accounts. This article walks through the discovery, impact, and potential remediation steps for the vulnerability.

Detailed Description 📚

This vulnerability allows users to bypass the email verification process and access certain account actions, such as changing settings, inviting users, or modifying account details, without first verifying their email address. This could lead to unauthorized access and potential misuse of Example.com’s services.

Step-by-Step Reproduction 👣

  1. Sign Up Without Verification:
  • First, I signed up for an account on Example.com’s registration page: https://www.example.com/get-started but did not verify the email.

2. Attempt to Log In Without Verification:

  • I then went to the login page (https://client.example.com/login) and logged in with the unverified account.
  • Using Burp Suite to intercept the traffic, I observed a request:
  • GET /verify-email HTTP/2
  • This request confirmed the prompt for email verification.

3. Capture Cookie and CSRF Token:

  • You will see the next request like:
  • GET /_next/data/nAtO8SI6Rt7CL057kmy06/verify-email.json HTTP/2
  • This request contained both the cookie and CSRF token for the unverified account.

4. Create and Verify Another Account:

5. Exploit the Unverified Account:

  • While logged into the verified account, I intercepted a request to change account details, such as the name or invite users.
  • I replaced the cookie and CSRF token in this request with those obtained from the unverified account, using Burp Suite’s Repeater tool.
  • This substitution enabled me to perform these changes as if I were acting on the unverified account.

6. Verify the Exploit:

  • Replaying the request for the unverified account confirmed that changes (like the name update or user invite) were successfully made on the unverified account.

Root Cause Analysis 🕵️‍♀️

The vulnerability stems from a configuration issue in Example.com’s API. The response from the /verify-email.json endpoint showed that the parameter "editEnabled": true was set for all accounts, including those that had not verified their email addresses. This allowed unverified accounts to modify critical settings and invite other users, bypassing security protocols.

Impact of the Vulnerability 💀

This flaw permits unverified users to perform actions on their accounts without email verification, potentially allowing malicious actors to exploit the system by creating multiple accounts without legitimate verification. Such activities could compromise both user experience and platform security by enabling unauthorized access to account management features.

Suggested Remediation 🤝

To mitigate this issue, Example.com could implement the following steps:

  • Enforce conditional checks on the "editEnabled" parameter, setting it to false until the email verification is complete.
  • Add backend validation for actions that require verification, ensuring only verified accounts can perform account modifications or user invites.
  • Regularly audit and test API endpoints to prevent similar bypasses in future updates.

Conclusion 👨‍💼

The email verification process is critical in maintaining the integrity and security of user accounts. This vulnerability on Example.com highlights the importance of thorough validation and security measures, particularly for actions involving user permissions and account modifications. By addressing this issue, Example.com can reinforce its security framework, ensuring that only verified users can access sensitive functionalities.

Thanks 🙏

--

--

No responses yet