An Unusual Tale of Email Verification Bypass

Hey Guys. I’m Sagar Sajeev .

In this small writeup I would like to share how I reported a case of Email Verification Bypass. But what makes it unique is the way in which it has to be exploited.

Let the domain be :-

“https://www.redacted.com/account/login”

  1. Go to change email option and change the mail from attacker@email.com to victim@email.com
  2. 4 digit OTP is sent to victim@email.com to confirm(verify) the change.
  3. No rate limit was set. Thus, correct OTP was found via bruteforcing.
  4. But upon filing the Correct OTP, the page showed incorrect OTP.

I was like….

  • I inspected every request manually (the OTP bruteforce requests in repeater) and it was only after 2 hrs of trial and error, I came across a hidden parameter called “sec” embedded between the request.
  • It was quite a peculiar parameter as it appeared only after the 120th request in the repeater. I verified it thrice and it was indeed appearing only after the 120th request.
  • Also it was incrementing by a step value of 1 after the 120th request. i.e;

>120th request has sec value 1

>121st request has sec value 2

>122nd request has sec value 3

>123rd request has sec value 4

> etc

  • I’m not sure whether I’m right, but I feel like it’s a way the target has chose either to reduce traffic on the website or as something to prevent bruteforce attacks.

The Fun Part!

  • The param was heavily dependent on client side, So just remove the sec param from the 120th request. This removes the parameter from every subsequent request.
  • Now again try the above mentioned OTP bruteforcing and get the correct OTP and type it in.
  • Email has been changed from attacker@email.com to victim@email.com.
  • I had reported this a while back, but didn’t get a reply from the Sec team. It was in fact last week that I got a reply from them and by then even I had forgot about this finding.
  • Impact — This issue can be used to bypass email verification. Attackers can create account on behalf on any person without having access to that email account.

Timeline

Submitted : 02–07–2022

Accepted : 03–08–2022

Rewarded with Swag : 09–08–2022

I do occasionally share some tips about Bug Bounties and related stuff over at my Twitter and LinkedIn handle. So do follow me there. If you’ve got any queries, feel free to message me. I will be more than happy to help.

LinkedIn : https://www.linkedin.com/in/sagar-sajeev-663491208/

Twitter : https://twitter.com/Sagar__Sajeev

Thanks for going through my writeup and I hope it was useful to you. I’ve made 6 other writeups on my Medium handle. Please do check those out as well.

Happy Hunting!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store