A Strange Tale of Email Verification Bypass

Hey guys,

Hope all is well with you. It has been a while since my last writeup.

I decided to publish two of my weird and, of course, instructive findings. So here we go.

First one:

Let’s call the target redacted.com.
To change your email on redacted.com, you supposed to enter a email that is under the control of the you and you have full access to because the application has to verify that the email is yours. In order to verify it, the application sends a 6-digit code to the email that you want to add. (I had bypassed this mechanism once by brute forcing OTP.)

To bypass it again, I just manually browsed the changing email function and tried to think outside the box.

Main part:
I changed my email to one that I don’t have access to (noaccess@gmail.com) and captured the request with Burpsuite. There was a parameter called emailchange (emailchange=noaccess@gmail.com), and I changed it to (emailchange=haveaccess@gmail.com) to see what happened.
Am I receiving the OTP in my mail box? And if I enter the OTP, which email will be verified?

I got the OTP on haveaccess@gmail.com, and when I entered the OTP, to my surprise, the first email (noaccess@gmail.com) got verified.

Steps To Reproduce:

Second one:

Let’s call the target xyz.com.
When you register an account on xyz.com, it sends a validation link to your email to activate your account.
There was an option called (Didn’t Receive the Email or Wasn’t the Email Correct) that you had to re-enter the email.

Main part:

I registered an account with (noaccess@gmail.com) that I don’t have access to, and on the verification page, I changed my email to (haveaccess@gmail.com) to get the validation link. When I got the validation link in my mailbox, I went back one step and again clicked on (Didn’t Receive the Email or Wasn’t the Email Correct). This time, I changed my email to the first one (noaccess@gmail.com). And to my surprise, when I opened the validation link that was sent to (haveaccess@gmail.com), the first email (noaccess@gmail.com) got verified.

Steps To Reproduce:

Impact (the most important part):

To my experience, triagers don’t consider this an exploitable risk :/

So here you must explain: This is something that the application has prevented and probably has a business risk, and it violates the application’s policies and potentially GDPR.

For example:
In the application, when a user registers with an email, they receive a code and link to confirm ownership of the email they used. This step is crucial for verifying the user’s identity, in the way that the application infrastructure is designed.
However, if someone enters another person’s email and skips this verification step, it violates the application’s policies and potentially GDPR.
Some scenarios for a better understanding of the impact:
1. End users whose email addresses are used without consent may experience identity theft concerns. They could be falsely associated with accounts, leading to confusion, reputational damage, or even legal repercussions.
2. The integrity of user data is compromised as the application allows the creation of accounts without proper verification. This undermines the reliability of user information stored within the system.

Thanks all,

Hope you’ve enjoyed the blog.

Special thanks to MamRezzSr

Reach me at X