Apr 21, 2019 · 1 min read

Description :-

The website have functionality which let user to add another email on his/her account. But to confirm whether newly added email belongs to user or not , website sends the confirmation link to the added email address account.

In this article we will see how this confirmation was bypassed which let the bug hunter to add any email which he/she does not own.

I tried to add my email and gets the confirmation link which looks like this


First I thought this [SOME_TOKEN_HERE] is randomly generated unique token which should be expired after a use and it cannot be predicted. But I was wrong this was nothing but token generated for given email address and this token was reflected at HTTP response of the HTTP request to add email

So, now what we can do is to add any email which we don't own. e.g. and then intercept the request and look for []

at response of the respective request.
Now the final link will look like this


As soon you click on above link , the email address gets confirmed without access of the email address account.

Point to note :-

Look whether any link for any confirmation you recieved at email account is reflecting at HTTP response or not. Somehow, try to use that for bypassing the confirmation.


The program doesn't offer bounty , all I got was +7 reputation points and words from triager "NICE FIND!"

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store