Change Email Address
Lack of Password Confirmation on Change Email Address
Overview of the Vulnerability
User accounts are more susceptible to account takeover when there is no password confirmation on certain actions. For example, change of email address, change of password, management of Multi-Factor Authentication details, and account deletion.
The application lacks password confirmation on the change email function which could be abused by an attacker who has access to the user’s account (eg. a public computer the user has not logged out of). From here the attacker could change the account email to one they control. This gives the attacker control over any functionality that leverages email which they can use to further exploit a user’s account.
Business Impact
This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure.
Steps to Reproduce
Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
Use a browser to navigate to: {{URL}}
Use change email address functionality
Intercept the request in a Web Proxy
Adjust and forward the following request to the endpoint:
{{request}}Observe that no password confirmation is required
Proof of Concept (PoC)
The screenshot(s) below demonstrates the lack of password confirmation when changing the email address:
{{screenshot}}
Recommendation(s)
It’s recommended to include the use of a password confirmation from users upon changes to their account, including the change of email address, to ensure that the requests are made by the legitimate user.
Last updated