An Unusual Tale of Email Verification Bypass

  1. Login into the account as attacker@email.com
  2. Go to change email option and change the mail from attacker@email.com to victim@email.com
  3. 4 digit OTP is sent to victim@email.com to confirm(verify) the change.
  4. No rate limit was set. Thus, correct OTP was found via bruteforcing.
  5. But upon filing the Correct OTP, the page showed incorrect OTP.
  • I couldn't understand why the correct OTP was rejected by the website.
  • I inspected every request manually (the OTP bruteforce requests in repeater) and it was only after 2 hrs of trial and error, I came across a hidden parameter called “sec” embedded between the request.
  • It was quite a peculiar parameter as it appeared only after the 120th request in the repeater. I verified it thrice and it was indeed appearing only after the 120th request.
  • Also it was incrementing by a step value of 1 after the 120th request. i.e;
  • I also noticed that every attempt after the 120th request led to a 302 redirect to a different subdomain.
  • I’m not sure whether I’m right, but I feel like it’s a way the target has chose either to reduce traffic on the website or as something to prevent bruteforce attacks.

The Fun Part!

  • The param was heavily dependent on client side, So just remove the sec param from the 120th request. This removes the parameter from every subsequent request.
  • Now again try the above mentioned OTP bruteforcing and get the correct OTP and type it in.
  • Email has been changed from attacker@email.com to victim@email.com.
  • I know this is rather a common bug. But the verification process of the website was rather unique and thus I wanted to make a writeup on it.
  • I had reported this a while back, but didn’t get a reply from the Sec team. It was in fact last week that I got a reply from them and by then even I had forgot about this finding.
  • Impact — This issue can be used to bypass email verification. Attackers can create account on behalf on any person without having access to that email account.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sagar Sajeev

Sagar Sajeev

18 y/o | Security Researcher | Bug Bounty Hunter |