First valid critical vulnerability of mine

Hey there, hope you’re all doing well… Yep, I’m doing just fine too.

So, let’s dive into the story of my very first big bug discovery in a Vulnerability Disclosure program on HackerOne.

Spoiler alert: It was later marked as a duplicate. But before we get to that….

Disclaimer: I’m no pro bug bounty hunter, just a curious soul who loves to poke around and stumbled upon this vulnerability. So, if I goofed up anywhere, please be gentle with me and feel free to correct me.

Alright, let’s dive in.

Overview of Bug
When a new user signs up, the web application does not enforce email verification, allowing an attacker to register using a random email address and with other people’s email without the owner’s consent. This vulnerability enables malicious users to create multiple fake accounts and even can create account on behalf of other people using their mails for unauthorized activities.

So, I picked a Vulnerability Disclosure Program (VDP) from HackerOne and, just casually poking around, I started exploring the webpage of a domain.

let’s call it website.test.com.

My mission? Well, like any beginner in this game, I was on the hunt for XSS — the OG, Armed with the enthusiasm of a newbie, I was dumping it everywhere (>__<). But alas, no luck. Nothing obvious jumped out at me.

Then, I made a bold decision to shake off my lazy self and tackle it head-on. I fired up my trusty Burp Suite and kicked off the game of request capture, forward, repeat, and intrude — one by one. The energy was buzzing, and so was my system.

A few minutes into exploring the webpage, I figured the internal part was a bit too crowded for hunting, so I decided to check out the login pages for vulnerabilities.
I began capturing requests one by one and checking out the responses they were giving.

And just like that, a light bulb moment!💡💡

I stumbled upon something peculiar with the create account functionality. After signing up and creating an account, there was no confirmation email in sight, yet the account was magically created on the spot.

So, being the curious cat I am, I decided to switch things up a bit and entered the email of a very dear friend of mine (*__*)because, you know, friends always have your back.

Sure enough, like the reliable bro he is, he came to my rescue. As soon as I entered his email and forwarded the request, an account was created. Intrigued, I began experimenting with random variations of the email format like “@gmail.com”.

Example mails

to my surprise Each time, I got a “200 success” message. Just to make sure, I tried logging in using the login page, and guess what? I logged in successfully!.

Finally i was able to find a valid bug that was happy enough for me , so i created a report and submitted it to the program.

Now before Celebrating let me put the Reproducing steps here!!

Steps To Reproduce:

1. Click on signup option

2. Put an email and password to signup

3. Capture the requests using the burp suite.

4. In the email parameter of the request add some other random email address.

5. Click send and in the response you will get the success.

6. Enter those credentials on sign in page and you will have the new account created successfully

In the next 24 hour i got a mail

I was happy it was like a battle winning moment for me.

But what happened next was …………..

Reality hit me hard with a mail and a nine-letter word: DUPLICATE. Ouch!

Well, all in all, it was a successful run. The bug turned out to be valid, which was the most important thing to me.

Wait, you’re still here?
Thanks a bunch for being such a patient audience.
I’ll catch you again soon with another adventure. Until then, happy bug hunting!