While conducting web application testing, I focused on the email and password update sections, particularly the email update functionality. This feature is crucial as it contains a critical vulnerability that can lead to the overwriting of any user account.
A critical logic flaw in the account update functionality allows an attacker to overwrite any user’s account details by manipulating the email address field. The application fails to adequately validate and restrict email address changes, enabling an attacker to bypass existing protections and take control of another user’s account by exploiting case sensitivity.
While testing the email update functionality, I discovered a vulnerability. When adding a victim’s email address, the system checks if the email already exists. This check can be bypassed by including both the victim’s and the attacker’s email addresses in the request. The first email is the victim’s, and the second is the attacker’s. Despite receiving a response indicating that the email already exists, the system can be further tricked by changing any character in the victim’s email address to uppercase (e.g., changing mohamedashraf@cyberar.io to mohamedashraf@cyberar.iO). Sending this modified request results in the victim’s account being overwritten.
1- if an attacker adds the victim’s email in the GUI, an error message stating “email already exists” is displayed
2-Modify the request so that the first email is the victim’s email and the second email is the attacker’s email:
Change the email field to include both the victim’s email and the attacker’s email:
“`Content-Disposition: form-data; name=”email”
victim@example.com
Content-Disposition: form-data; name=”email”
attacker@example.com
but have same issue email already exists
“`
3-Adjust the victim’s email by changing a character to uppercase:
“`Content-Disposition: form-data; name=”email”
victim@Example.com“`
This critical vulnerability in the email update functionality allows attackers to bypass the existing email validation checks by manipulating the case of the email address and including multiple email fields in the request. As a result, attackers can overwrite any user’s account by exploiting this flaw. Proper input validation, normalization of email addresses, and enforcing strict rules on email updates are essential to prevent such security issues. Addressing these gaps will significantly enhance the security of user accounts and protect against unauthorized access and potential data breaches.