Business logic allows any user to be blocked from creating an account
1 min read
Summary
The author attempted to discover vulnerabilities on a program they were testing which could allow them to create new accounts.
They discovered that it was possible to change the email address of a new account, and that this could allow them to create a new account with an existing, unverified email address.
This would result in the prevention of the senders’ ability to reset their password, as the link to do so would not be sent to them due to the email address being unverified.
The author reported the vulnerability, which was fixed within two hours.
This was then duplicated internally, with the reporter notifies two days later that the issue had previously been found and fixed.