Description :-

The website have functionality which let user to add another email on his/her account. But to confirm whether newly added email belongs to user or not , website sends the confirmation link to the added email address account.

In this article we will see how this confirmation was bypassed which let the bug hunter to add any email which he/she does not own.

I tried to add my email and gets the confirmation link which looks like this


First I thought this [SOME_TOKEN_HERE] is randomly generated unique token which should be expired after a use and it cannot be predicted. But I was wrong this was nothing but token generated for given email address and this token was reflected at HTTP response of the HTTP request to add email

So, now what we can do is to add any email which we don't own. e.g. notmyemail@xoxo.com and then intercept the request and look for [SOME_TOKEN_HERE_OF_notmyemail@xoxo.com]

at response of the respective request.
Now the final link will look like this


As soon you click on above link , the email address notmyemail@xoxo.com gets confirmed without access of the email address account.

Point to note :-

Look whether any link for any confirmation you recieved at email account is reflecting at HTTP response or not. Somehow, try to use that for bypassing the confirmation.


The program doesn't offer bounty , all I got was +7 reputation points and words from triager "NICE FIND!"