An Unusual Tale of Email Verification Bypass

  1. Login into the account as
  2. Go to change email option and change the mail from to
  3. 4 digit OTP is sent to to confirm(verify) the change.
  4. No rate limit was set. Thus, correct OTP was found via bruteforcing.
  5. But upon filing the Correct OTP, the page showed incorrect OTP.
  • I couldn't understand why the correct OTP was rejected by the website.
  • I inspected every request manually (the OTP bruteforce requests in repeater) and it was only after 2 hrs of trial and error, I came across a hidden parameter called “sec” embedded between the request.
  • It was quite a peculiar parameter as it appeared only after the 120th request in the repeater. I verified it thrice and it was indeed appearing only after the 120th request.
  • Also it was incrementing by a step value of 1 after the 120th request. i.e;
  • I also noticed that every attempt after the 120th request led to a 302 redirect to a different subdomain.
  • I’m not sure whether I’m right, but I feel like it’s a way the target has chose either to reduce traffic on the website or as something to prevent bruteforce attacks.

The Fun Part!

  • The param was heavily dependent on client side, So just remove the sec param from the 120th request. This removes the parameter from every subsequent request.
  • Now again try the above mentioned OTP bruteforcing and get the correct OTP and type it in.
  • Email has been changed from to
  • I know this is rather a common bug. But the verification process of the website was rather unique and thus I wanted to make a writeup on it.
  • I had reported this a while back, but didn’t get a reply from the Sec team. It was in fact last week that I got a reply from them and by then even I had forgot about this finding.
  • Impact — This issue can be used to bypass email verification. Attackers can create account on behalf on any person without having access to that email account.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sagar Sajeev

Sagar Sajeev

18 y/o | Security Researcher | Bug Bounty Hunter |