Email Verification Bypass during Account Creation

A flaw was discovered in a public programme that allowed account creation without email verification.
This was possible due to an unusual request made to a URL that fetched user profile information from Firebase, even though the registration process was still in progress.
Investigation revealed that the email verification token had been included as profile data.
A GET request to a separate URL finalised the account creation, suggesting that security was dependent on the token not being intentionally leveraged in this way (security by obscurity).
Possible solutions include restricting access to profile data until the registration process is complete, or isolating the verification token to restrict its exposure.
Malicious actors could use this vulnerability to create accounts with disposable email addresses and potentially impersonate other users or staff.

Fast Feed