Bypassing Email Uniqueness Check: A Logic Flaw Disrupting Password Recovery

1 month ago 30
BOOK THIS SPACE FOR AD
ARTICLE AD

I wanted to share a bug I found some time ago. This is the first bug I’ll be sharing, but it certainly won’t be the last, inshallah. It was one of the more unusual bugs I’ve encountered. We have a website, and typically, the logic of any website ensures that you can’t create an account with the same email. The site I was testing followed this rule too.

However, when I tried to change the email, the first attempt was rejected. But when I tried again, surprisingly, it accepted the change. I thought, 'LOL,

let me try again.' The code logic in my mind was that the backend is designed to send a notification only once, that the email already exists, and all subsequent requests pass through normally.

The impact of this bug is that it prevents a user from requesting a 'forgot password' reset. It fails entirely, as the backend, when trying to send a token to the email, finds two users with the same email. Obviously, it wasn’t designed for that and throws an error.

So, this was a simple bug with a low severity, mainly affecting availability.

Read Entire Article