.png)
7 months ago
46 BOOK THIS SPACE FOR AD
ARTICLE ADHello fellow researchers,
I hope you’re all doing well. My name is Yassine, and I’m a security researcher from Morocco. Today, I want to talk about a vulnerability I discovered in a private Bugcrowd program.
The vulnerability I found falls under the category of Broken Access Control. It allows me to bypass the email verification step without having to interact with the link sent to my inbox. You see, there are various ways to bypass email verification. Some are widely known, while others depend on the data in the request. For instance, you can bypass it by using a different email address for verification, or by manipulating the response of the request.
But the one I encountered depends on the data in the request. The app prompted me to verify my account in order to use a feature on the website. When I clicked “send” and intercepted the request, I received a GraphQL request with the following data:
[{"operationName":"solutionsResendEmailVerification","variables":{"input":{"entityId":"511","status":"PENDING","requestReferrer":"SOLUTIONS_CREATE"}},"query":"mutation solutionsResendEmailVerification($input: ResendEmailInput!) {\n resendEmailVerification(input: $input) {\n success\n __typename\n }\n}\n"}]In the request, the status was originally “PENDING.” I changed it to “VERIFIED,” refreshed the page, and gained access to the solutions without verifying my address. Pretty easy way to bypass verification, right? But, I didn’t realize the impact of this vulnerability was so high, so I reported it. The Bugcrowd triage team flagged it as a P4.
One month later, the program’s team changed the state to unresolved, giving me 5 points. Then, just 10 minutes later, they added an extra 15 points and upgraded the severity to P2. The explanation behind this upgrade was as follows:
Hi Y4SS1NE
Based on our investigation, it looks like this endpoint is not just suppressing the email verification status on the UI but also actually set’s the email to verified in the backend. This is due to an error in the way this call was implemented. This opens us up a potential for fraud and spoofed accounts that could lead to disclosure of sensitive data in some configurations. Due to the potential impact, this has been set at P2. Great find! Thank you!
Reward: 1200$
I would like to express my gratitude to the program’s team for their transparency and clarification, and to Bugcrowd for promptly triaging the issue!
Bengali (Bangladesh) · 
English (United States) ·