Email Verification Bypass Easy-P4

4 min readAug 2, 2024

Hi, Ajak Amico’s welcome back to another blog. Today In this blog, I will share how I found an easy Email verification bypass flaw on a registration page in a UK government site, So Before starting, if you haven’t subscribed to our channel, do subscribe, guys. Contents related to cyber security, Bug Bounty, and Digital Forensics Investigation.

Follow our Youtube Channel: @ajakcybersecurity (360 Videos)
Follow on Instagram: AjakCybersecurity

Bug Description:

Title: Guessable API Endpoint Leads to Bypass Email Verification in Register Page.

Severity: P4

Bug Type: Improper Authentication

Affected domain: Redacted.com (UK.gov)

Since the vulnerability has not been patched, I will make the target as redacted.com and I found it on the UK government site.

Recon:

As it stays my usual recon process After utilizing my favourite tool, https://subdomainfinder.c99.nl/, for subdomain enumeration and accessing all URLs through bulk URLs, and the second is via Google Dorks

intext:register site:*.*uk.gov

So when I scrolled through, I found an interesting website. It was a site where users can manage their data, and register for newsletters, courses, training sessions, and competitions. It had all basic functionalities such as a registration page, login page, upload functionality, and purchasing courses.

Exploitation:

To test functionality, I started to create an account on redacted.com and observed the normal response. It functioned as expected: upon registration, an email confirmation was sent with a token ID and username. Then, I fired up my Burp Suite and began examining the requests and responses. They appeared quite standard. The request looked like this:

Account-1 (Victim_user)

www.redacted.com/Webaccount?SignupID=NHKS-001026912_075&LDAP_account=victim_user

Now, once I clicked on the link, my account was verified. Next, I created another account, naming it ‘account-2’ (attacker). I used Burp Suite to create this account, aiming to discover any information disclosures, but I encountered difficulties. However, when I received the confirmation link in my email, I was surprised to find that I could easily guess the token and access almost the same link as account 1

Accuount-2 (Attacker_user)

www.redacted.com/Webaccount?SignupID=NHKS-001026913_075&LDAP_account=attacker_account

as you can see for account 1 the SignupID was

SignupID=NHKS-001026912_075

and for the account 2 signupID was,

SignupID=NHKS-001026913_075

the only difference here is that the ID changed from 12-> 13 and it was easily guessable, so

I created an account-3 with admin@gov.uk and I didn't know the email to confirm the registration process.

but since the token was guessable, I just created the guessable link by changing the SignupID. And my final parameter looked like this.

www.redacted.com/Webaccount?SignupID=NHKS-001026914_075&LDAP_account=admingovuk

and just entered the URL in a new tab, and to my surprise, the admin@gov.uk email ID got validated.

now I just entered the Email address and password to crossverify.

Boom!

Successfully pre-took over adminuk account

Even though it’s just a pre-account takeover, the guessable API token affected the whole registration functionality. As a result, I was logged in as admin@gov.uk. I reported it and am waiting for the team’s confirmation for further updates. Let’s hope for the best. See you in the next blog! Cheers :)

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Hope you would have learned some information from this blog if so, kindly press that follow button for further updates. Best wishes from Ajak Cybersecurity.❤️

“கற்றவை பற்றவை🔥”

Learn Everyday, Happy Hacking 😁🙌