Summary by Zero1s3c
Can we disclose this !
Allows Disposible email adress to create multiple accounts .
Disclosed by Zero1s3c- Engagement Linktree
- Disclosed date almost 2 years ago
- Priority P5 Bugcrowd's VRT priority rating
- Status Informational This vulnerability is seen as an accepted business risk
Report details
-
Submitted
-
Target Location
*.odesli.co -
Target category
Web App
-
VRT
Insufficient Security Configurability > Weak Registration Implementation > Allows Disposable Email Addresses -
Priority
P5 -
Bug URL
https://odesli.co/ -
Description
Allows Disposable Email Addresses
Overview of the Vulnerability
When the registration implementation for an application is weak, it diminishes the integrity of the overall authentication process. The application allows users to submit a disposable or alias email address to register an account.
Business Impact
Having a weak registration implementation can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure.
Steps to Reproduce
- Use a browser to navigate to: https://odesli.co/
- Then click on Login to start and on the new page click on Signup Option.
- Register an Account using A disposible email service ( i used temp mail)
- Observe that the new account is created and we are redirected to dashboard of our account.
- Then go to your disposible email page and there will be a email from odelsi , click on confir email link and your new account will be activated .
IMPACT
An attacker can abuse this weakness to bulk register fake user profiles and use them to launch spam campaigns.An attacker could also use this vulnerability and create multiple accounts which will result in slow server response for other users and also mange to perform a DDos attack.
Proof of Concept (PoC)
The following screenshot shows the weak registration implementation: