An Unusual Tale of Email Verification Bypass
Hey Guys. I’m Sagar Sajeev .
In this small writeup I would like to share how I reported a case of Email Verification Bypass. But what makes it unique is the way in which it has to be exploited.
Let the domain be :-
- Login into the account as email@example.com
- Go to change email option and change the mail from firstname.lastname@example.org to email@example.com
- 4 digit OTP is sent to firstname.lastname@example.org to confirm(verify) the change.
- No rate limit was set. Thus, correct OTP was found via bruteforcing.
- But upon filing the Correct OTP, the page showed incorrect OTP.
I was like….
- I couldn't understand why the correct OTP was rejected by the website.
- I inspected every request manually (the OTP bruteforce requests in repeater) and it was only after 2 hrs of trial and error, I came across a hidden parameter called “sec” embedded between the request.
- It was quite a peculiar parameter as it appeared only after the 120th request in the repeater. I verified it thrice and it was indeed appearing only after the 120th request.
- Also it was incrementing by a step value of 1 after the 120th request. i.e;
>120th request has sec value 1
>121st request has sec value 2
>122nd request has sec value 3
>123rd request has sec value 4
- I also noticed that every attempt after the 120th request led to a 302 redirect to a different subdomain.
- I’m not sure whether I’m right, but I feel like it’s a way the target has chose either to reduce traffic on the website or as something to prevent bruteforce attacks.
The Fun Part!
- The param was heavily dependent on client side, So just remove the sec param from the 120th request. This removes the parameter from every subsequent request.
- Now again try the above mentioned OTP bruteforcing and get the correct OTP and type it in.
- Email has been changed from email@example.com to firstname.lastname@example.org.
- I know this is rather a common bug. But the verification process of the website was rather unique and thus I wanted to make a writeup on it.
- I had reported this a while back, but didn’t get a reply from the Sec team. It was in fact last week that I got a reply from them and by then even I had forgot about this finding.
- Impact — This issue can be used to bypass email verification. Attackers can create account on behalf on any person without having access to that email account.
Submitted : 02–07–2022
Accepted : 03–08–2022
Rewarded with Swag : 09–08–2022
I do occasionally share some tips about Bug Bounties and related stuff over at my Twitter and LinkedIn handle. So do follow me there. If you’ve got any queries, feel free to message me. I will be more than happy to help.
Twitter : https://twitter.com/Sagar__Sajeev
Thanks for going through my writeup and I hope it was useful to you. I’ve made 6 other writeups on my Medium handle. Please do check those out as well.