Bypassing the Confirmation Email for Newsletter (

Mohammed Israil
Apr 26, 2018 · 3 min read
Voor Jouw Internetvrijheid

I’ve been meaning to write about this for a while. It all started back in September 2017 when I decided to look for vulnerabilities on BoF.

The reason I chose BoF was because a lot of friends (Facebook) of mine posting about the the cool Swag which they got from BoF. And I am just in love with the Swag and eager to test my skills as well.


This blog post is all about an issue on Bof on their Newsletter section which is marked as Fixed now. I always believed that sharing is caring, and I have been learning from multiple security researchers in the Bug Bounty field, so I decided to share this.


A couple of months back during testing and spending a lot of time on I didn’t find anything interesting so at last I notice there’s a Newsletter section and as because I found their Blog posts interesting I thought to subscribe for their Newsletter.

So I just enter my email on the email field and hit the subscribe button. And after that I got to know that they have a mechanism in place to confirm the email if you want to recieve the Newsletters. So I login to my email and there’s a email from the to confirm the same. But the email which I recieved to confirm the subscription seems vulnerable to me and after digging some more about that I was able to confirm anyone’s email and can activate the BoF Newsletter subscription without even their prior knowledge.

Brief Explanation:

Here I have used two dummy emails to demonstrate the vulnerability.


At first I used the first email ( for subscription and to confirm the same I got a confirmation email which has 3 parts,
the endpoint, action and data part.

Here the endpoint simply for the method, action for the process and data is the token.

Reproduction Instruction:

(01) Go to official website as
(02) Go to the Newsletter section at the bottom of the page and enter your email. (e.g —
(03) Then you’ll get a confirmation mail to that email address.
(04) Just copy the confirmation link and paste that somewhere where you can able to edit that.

This is for the email address, right?

(05) Then just edit the URL as:

Here I have used my second email but you can use any email ID to activate the subscription.

(06) Visit the new edited URL. Boom!!

And there on the page you’ll see a message from the BoF as:

You are registered on one or more of our newsletters or mailing lists. Can not you wait? Then read our latest news .

At the bottom of each newsletter, you can unsubscribe you and all your newsletters at once and manage your listings.

What’s the issue:

The BoF team is using MailPoet newsletter plugin and the issue is with the MailPoet plugin not with the site actually. The MailPoet system is failed to validate the token.

How can it effect:

A attacker can subscribe anyone by simply knowing their email somehow.

At the end, I got a cool T-shirt and some BoF stickers as a token of appreciation from BoF team.

Token of Appreciation

Thanks for Reading!

~ Mohammed Israil:

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store