Hi guys, after almost a year, I thought I should create a new write-up. Today, I’m gonna show you the email verification bypass vulnerability that I found at high-profile tech & software company. So I’ll call that company as “redacted” and let’s get started!

Basically, when you sign up with the redacted company, you have 48 hours to verify your email.

As you can see in this picture, it is a demo intended for limited access by new users. During this time, you can use the application, but after 48 hours have passed, you cannot log in without verifying your email.

And when you want to log in after 48 hours, you will see the tab below and you will need to verify your email. Yes, I waited 2 days for this.

When we click the “click to resend” button to continue using the account, we receive an email for email verification. Lemme show you that mail.

At this point, I noticed that the token value sent in the mail for verification purposes is the same as the token value in the URL field in the second image.

Take a look at this match, we can also view this token from the Burp Suite interface.

You can easily see the match in all three images (first and second images for the verification area). This means that even if a user registered with an email that doesn’t have, he/she can use that email unlimitedly.

As a result, users can copy this token value and convert it to the URL format sent for email verification.

Demo Steps:
1- Create a new account with [email protected] mail at redacted.com
2- After 48 hours, you need to verify your account. Login to the site and you will see that email verification tab.
3- Copy the token value in URL section of verfication tab and paste here: www.redacted.com/Login/UserEmailConfirm?Token=*HERE*

The team accepted and fixed this report as email verification bypass and pre-auth account takeover and rewarded me $$$ bounty.

That’s all for now. Thanks for reading this far and I hope you liked it!

https://twitter.com/canmustdie
https://0xcan1337.github.io/