Email Verification Bypass Worth $$$

Hello Geeks, Hope you guys are hacking well. In this blog i am going to share a small story of bypassing email verification. I am not allowed to share the organization name so I will be using redacted.com as the main domain.

*.redacted.com is in scope. As usual, I started with subdomain enumeration, for subdomain enumeration I mostly use combination of subfinder +findomain+amass. After enumerating domains i only found 3 live domains in which one is the main application and other two is having static pages. I picked init.redacted.com and used crt.sh to find more subdomains and found a subdomain swf-apps.init.redacted.com.

There is a registration page at swf-apps.init.redacted.com where you can create account.

After creating an account, the user will receive an email with a verification link. Users have to verify their email to login into their accounts. The verification link looks like https://swf-apps.init.redacted.com/capabilities/Account/emailverification.aspx?e=token&n=1x0

I decode the value of e and found that the token is base64 encoded of email. https://swf-apps.init.redacted.com/capabilities/Account/emailverification.aspx?e=user_email_base64_encode&n=1x0
I was like.

So I registered a new account using a random email like admin@redacted.com as I don’t have access to admin@redacted.com email. To get logged in successfully I have to verify my email. So, I crafted an email verification link and used it to verify it. That was it.

To show the impact I used company email address.

Timeline:

March 22, 2021— Reported

March 22, 2021 — Triaged and $$$ Bounty awarded

September 28, 2021 — Fixed.

Thanks for reading, hope you learned something new. Do clap and share if you like. I will write more of my findings soon so, stay tuned for my next write-up.

Twitter: 7he_unlucky_guy
Linkedin: Vijeta