.png)
3 years ago
384 BOOK THIS SPACE FOR AD
ARTICLE ADHi, I am Vinayak Patil. I am the one who want’s to make this word secure but dude I really tried hard to do that and that’s a ah . . . , yeah you know. So I thought let’s secure WWW, and that’s why I am here.
My morning start from Email verification bypass, Account overtake, 2FA bypass and ends with RCE(lol, not reported single bug yet on RCE and one thing ereported and found are different word). I visit Bugcrowd and look up for domain where I translator not needed, yeah says no to French, Russian, Chinese as they goes up 17 feet above head, and I picked one decent domain.
What’s next?
I visit sign-up page & create account with my bugcrowd alias mail Id. So consider I create account with my-email@mail.com . After that I redirected to dashboard(wait, that’s not how I bypassed it) where at left corner it written account not verified, we sent verification link over mail .Yeah, they did, there was verification link in my mailbox. As account is not verified few functions are disabled on my dashboard(that was weird, why they let me in), but I can edit profile even I was able change email, so I changed to my-email-2@mail.com and I got new verification link in my mailbox which is same as previous (wait, what) one. I clicked first verification link which was sent to my-email@mail.com and boom my-email-2@mail.com becomes verified email. Now these time I change email to some weird mail(which never exists) and click the same link. And that weird email shown on may dashboard as verified one. And without wasting time(lol, I wasted whole day to dig more) I report bug to that decent domain on Bugcrowd platform.
Impact :
Attackers can create account on behalf on any person without having access to the email account.
If you like my report . . . then why your are waiting, just do it
Bengali (Bangladesh) · 
English (United States) ·