An Email Authentication Bypass, But Marked as N/A in NASA domain

Thank you for 2K Followers, keep showing love :) Hi, Ajak Amico’s welcome back to another blog. Today I will explain, How I found an Email authentication bypass leads to pre-account takeover, but unfortunately I was marked as N/A since there was no impact to the users. I got hugely disappointed with this anyway, So before starting, if you haven’t subscribed to our channel, do subscribe, guys.

Follow our Youtube Channel: @ajakcybersecurity (360 Videos)

Follow on Instagram:AjakCybersecurity

Buy me Coffee: https://buymeacoffee.com/ajak

As usual, my favourite subdomain enumeration tool https://subdomainfinder.c99.nl/ and opened every URL via bulk URL extension, I found a login page, where we can register and can view earth data for references. then I started to play with the website.

So I created an account with attacker@gmail.com, upon registration you will receive an email confirmation with the verification link, as shown below screenshot.

I just confirmed the link, and logged into the attacker account, and viewed my profile, it looked like this stating, Email: Verified

Next, I went into the Edit profile and changed the Email to earth.admin@nasa.gov

Once I click enter, I will be logged out of my account, you will receive a message “A verification email has been sent to the new updated email. Your profile is in the PENDING state until you verify your email.”

Now I can’t even log in with attacker@gmail.com, I just need to verify the email, which is sent to earth.admin@nasa.gov. even if I try to login with earth.admin@nasa.gov. email and attacker Password, I can’t login, I will be redirected to verification page again.

Very simple I just went into my attacker@gmail.com mail, and clicked on the same link which was sent to me during my initial registration process.

after clicking on the link, I received the following message “Your profile has been activated. Log into Earthdata Login system”

Now I just went into the login page and entered the Email as earth.admin@nasa.gov and attacker account password, guess what i just got logged in.

As you can see, my earth.admin@nasa.gov got verified to be true, and I successfully bypassed an email authentication, I know there is always less impact for pre-account takeover bugs, but I strongly believed, this flaw would get triaged since I bypassed the email authentication, but you know bug bounty is a tricky game, this was the message received from bugcrowd triage team. well at least for bypassing the email auth, they could have triaged it🥲.

Anyway comment down if I can chain this with any other vulnerability, hope you enjoyed reading my blog, and we can meet in the next blog. :)

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Hope you would have learned some information from this blog if so, kindly press that follow button for further updates. Best wishes from Ajak Cybersecurity.❤️

“கற்றவை பற்றவை🔥”

Learn Everyday, Happy Hacking 😁🙌

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Follow our Youtube Channel: @ajakcybersecurity

Follow on Instagram: @ajakcybersecurity