Allows Disposable Email Addresses
Allows Disposable Email Addresses
Overview of the Vulnerability
When the registration implementation for an application is weak, it diminishes the integrity of the overall authentication process. The application allows users to submit a disposable or alias email address to register an account. An attacker can abuse this weakness to bulk register fake user profiles and use them to launch spam campaigns.
Business Impact
Having a weak registration implementation can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure.
Steps to Reproduce
Use a browser to navigate to: {{URL}}
Register an account using a disposable email service
Observe that the account is created
Proof of Concept (PoC)
The following screenshot shows the weak registration implementation:
{{screenshot}}
Guidance
Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed triage time and result in faster rewards. Your submission must include evidence of the vulnerability and not be theoretical in nature.
For the use of disposable email addresses, please include a screenshot of an account that was created with a disposable email address. Envision how the use of disposable email addresses could be used in some impactful way. If a malicious action is possible, provide a full Proof of Concept (PoC) and update the Business Impact summary.
Recommendation(s)
The application should only accept valid email addresses for all user accounts to minimize account abuse.
Last updated