Email Verification Bypass via Remember Me
Today I will tell you my finding of email verification that I found accidently.
We need to understand that bug š hunting is not a step by step process all the way. You need to think like this- āIf I do this that what will happenā. This hungriness is must for bounty.
One more thing, I bought my IPHONE 11 from bug bounty. Just Joking šš
Come to the topic. Companies are smarter š§ now, they donāt want users to create dummy accounts using temporary emails. So they are implementing email verification, which means after creating account we donāt redirected to the accountās dashboard until OTP provided or confirmation link is clicked, which is sent to the email.
But we are here to bypass these type of authentication. Letās see how?
However, I canāt provide you the POC or real images of the target as it is not fixed yet. So, It was a website that provides cloud services to the users. It has lot of functionalities with lot of vulnerabilities š. Apart from this bug, I also got 2FA bypass for which I will write another article.
Steps to reproduce š¤-
1. Go to signup form [https://dashboard.example.com/signup] enter email/password and click on signup.
2. You will be redirected to another URL [https://dashboard.example.com/signup/pending/random-token], that will show you to verify your email by clicking on a link that is sent to the email.
3. Now simply remove the [/signup/pending/random-token] part from the URL and make it [https://dashboard.example.com/]
4. You will automatically redirected to [https://dashboard.example.com/login] login page.
5. Enter email/password that you used to create the account and havenāt verified yet.
6. Now the site provide a remember me button, just click it and click on login.
7. What you think? verification is bypassed āYa but waitā. You will be redirected to this path again as in step 2 [https://dashboard.example.com/signup/pending/random-token], but believe me this time we bypassed it. Letās see how?
8. Now repeat the step 3 i.e., remove the [/signup/pending/random-token] path and make the URL- [https://dashboard.example.com/] and you will be redirected to your dashboard.
Why this verification bypass worked š¤Æ? Because of broken authentication and session management. The remember me functionality doesnāt checks whether the user verified the email or not. However at a moment I thought that I didnāt bypassed because even I clicked on remember me, I got redirected to verification page but as I changed the URL, the website got forced to show the dashboard. I thought it only checked for remember me state. However I donāt know the exact reason š¤.
Please let me know if you know š„ what the exact misconfiguration.
Waiting for the company response š£
Thank You for Reading š
