Home
Blog
Bug Bounty

Email Verification Bypass Using Race Condition

Learn how email verification can be bypassed using Race Condition vulnerabilities. A real-world ethical hacking case study.
Email Verification Bypass Using Race Condition

Email Verification Bypass Using Race Condition

One day, I decided to hunt on a security services company’s public program with a limited scope. While I had previously hesitated to engage with public programs due to security concerns, this time, I decided to trust myself and simply enjoy testing the program without worrying too much about finding vulnerabilities.

What is the Bug?

The site had a security layer requiring users to verify their email by sending a token (also required when changing an email address). While editing my email, I discovered a way to bypass this verification layer using a **Race Condition** attack.

Detailed Scenario

Here’s how the vulnerability was exploited step by step:

  1. I registered on the site and verified my email.
  2. Logged into my account and went to the account settings to change my email.
  3. The site displayed the following message:

    4. This gave me an idea to bypass the verification using a Race Condition. If the site only required a valid verification URL but didn’t confirm whether it was associated with the email address, it could be exploited.

  4. I intercepted the "change email" request and sent it to the repeater in my testing tool.
  5. To test it, I sent the request twice using the repeater:
    • In the first request, I added the email I wanted to take over.
    • In the second request, I added my own email address.
  6. I created a group in my tool to send both requests simultaneously:
  7. I clicked the down arrow and selected “Send Group in Parallel.”
  8. Finally, I sent both requests. To my surprise, the second email (e.g., spider4@gmail.com) received a verification URL!

The Unexpected Outcome

I opened the verification URL and, surprisingly, encountered no error. When I checked my account dashboard, I found that the email address had been changed to admin@example.com (the target email) and was marked as verified.

Reporting the Bug

I reported the issue to the security team, and it was triaged as a **P4 Severity Bug**. Unfortunately, their response was not what I had hoped:

Lessons Learned

This experience highlights the importance of checking if verification URLs are strictly tied to the associated email address. Such misconfigurations, while seemingly minor, can lead to significant security vulnerabilities.

🔗 This bug was captured by Mohamed Yasser Ali.

Getting Info...

Post a Comment

Cookie Consent
We serve cookies on this site to analyze traffic, remember your preferences, and optimize your experience.
More Details
Oops!
It seems there is something wrong with your internet connection. Please connect to the internet and start browsing again.
AdBlock Detected!
We have detected that you are using adblocking plugin in your browser.
The revenue we earn by the advertisements is used to manage this website, we request you to whitelist our website in your adblocking plugin.
Site is Blocked
Sorry! This site is not available in your country.