Vulnerability Summary
This writeup details a critical business logic vulnerability in the email change flow of a platform. By combining an OTP Bypass and a CSRF, it was possible to arbitrarily replace any user's email address with a single click, resulting in a complete Account Takeover (ATO).
Note: All data exposing the real identity of the company or the endpoints has been replaced with fictional environments and values (
api.example.com) to protect confidentiality.
This writeup details a critical business logic vulnerability in the email change flow of a platform. By combining an OTP Bypass and a CSRF, it was possible to arbitrarily replace any user's email address with a single click, resulting in a complete Account Takeover (ATO).
The flaw resided in how the server handled the email change request, which required validation through an OTP code sent to the new address. The responsible endpoint was:
https://api.example.com/user/userAction!modifyEmail.action?email=[NEW_EMAIL]&checkcode=[OTP]
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In