Simple & Sweet: Bypass email update restriction to change emails of team members

Hello everyone, I hope you all are healthy and safe. Today I would like to explain my recent find that I have found in 1st week of Jan this year. As I always say, Test each and every functionality and break it. Today’s report also falls under the same.

One day, I received a Bugcrowd notification about my old accepted report raised on <redacted>.com, since it’s been so many months since I tested this program, thought of giving it a look. That makes this program as my first target this year and switched to work mode almost immediately.

In this website, users can invite other users in various different roles. Only admin users are allowed to edit details of other admins and low level users but admin’s are only allowed to edit profile details but restricted to change emails of any user. When you go to all users list and trying to edit profile details of other users, email field will be like this:

Which means you cannot edit email address. So I’ve started various techniques to break it. One old technique we all knew was to inspect the element. I did the same

Now to bypass this, I have simply removed readonly=””

As you can see, the blocker is removed now. So I have edited email address in this field and submitted form and to my surprise email got updated successfully.

So right now any admin can change email address of any other team member which according to targets workflow should not happen. Which confirms that client side validation exists but backend validation is missing. Quickly Raised a report on Bugcrowd. Report got Triaged within a week with Severity P3.

The severity is accepted because as per the website workflow only admin role users can change email address of other users and victim user can still login with old credentials since the website did not allow email update but any action victim performs will be recorded with attacker updated email. So the severity is accepted.

Timeline:

  • Report sent : 4–01–2021

I hope you like my above explanation. All is well. Want to connect? You can send your queries via Twitter: https://twitter.com/sunilyedla2 / Instagram: https://www.instagram.com/sunil_yedla/ . Good Day!

Bug bounty hunter | QA analyst | Security Researcher