Vulnerability Summary
accounts.setAccountInfoA major organization's identity platform (built on a managed Customer Data Cloud / Gigya stack) let any authenticated user change their account email to an arbitrary unregistered address through the client-side accounts.setAccountInfo() API call — with no verification email, no CAPTCHA, and no re-authentication with the current password.
The registration flow enforces both email verification and CAPTCHA, but this client-side call bypasses both. Root cause: the profile.email field is configured with writeAccess: clientModify in the identity schema (confirmed via a publicly accessible accounts.getSchema endpoint), so the client is allowed to write it directly.
gpk21gpk21
ZiadMomenThe bug was a Business Logic vulnerability that allowed users to access paid features while they were on a free plan.
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In