[ BUG BOUNTY ] Allowing Register With Official Domain
Hallo teman-teman researcher bagaimana kabarnya ? semoga senantiasa sehat selalu dan diberikan kelancaran dalam aktifitasnya.
Saya ingin share ketika saya mendapatkan sebuah bugs yang termasuk didalam kategori “ Insufficient Security Configurability > Lack of Verification Email “. Bug ini termasuk simple untuk mendapatkannya, berikut STR ( Step to Reproduce ) :
==============
Proof of Concept :
- Go www.redacted.com
- Go Register Account Page
- Register email with : xxxxx@redacted.com
-> eg: adminsuper@redacted.com
4. Create Account
5. Boom ! you sign-in enter the system ! with account without verification
===============
Security Impact is Email addresses can be sign-in using main domain without verification, and this is can do an action with official email
“sometimes you can enter the system without verification”
Referensi :
Reward : Hall of Fame
