Vulnerability Summary
HackerOne disclosed report --> https://hackerone.com/reports/3378540 by theokeen
I received an email from the new points and rewards system stating that I had reached Level 4, and the reward was a 3-month Burp Suite Pro license (sponsored by PortSwigger). The email included a “Redeem it here” button, which redirected me to a Google Form. After filling out the form, I received a valid license in my email.
The issue is that there is no validation or verification tied to the user’s account, which allows an attacker to obtain multiple licenses simply by using different email addresses.
Evidence
Email content (relevant section):
Hi theokeen, You’ve reached Level 4!
pyus3rA vulnerability was identified where an authenticated user could disable Multi-Factor Authentication (MFA) on their own account by modifying hidden account attributes through a backend API endpoint. This allowed subsequent logins without an MFA prompt, effectively bypassing the security control and increasing the risk of unauthorized access in the event of credential compromise.
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3543475 by xavlimsg
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3020021 by adilnbabras
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In