Race condition to bypass email verify, part #2

$ whoami

Hi bug hunter, my name is Sirat, from iraqi kurdistan, a few stories ago i shared a story of bypassing email verify by exploiting a race condition, i just noticed that many of you liked the story and interested in the technique so i like to share the next story which also a race condition vulnerability that can lead to email verify bypass.

As we know email verify some times can be very sensitive in some targets, especially the targets i try to find a such vulnerability in it…
Email verify simply a mechanism that forces users to confirm the email they use on their account are belongs to them and its not a fake email address, since in some cases its used in very sensitive functions, it may lead even to authentication bypass vulnerabilities, so don’t forget to test for email verify vulnerabilities.

Steps and the exploitation scenario

The target was vulnerable to this attack is already don’t have much functions so i usually try to find logical bugs, and here is how did it:
1. The target allows you to create accounts, of course it doesn’t force you to verify the email until you need to perform some sensitive actions such as joining an organization or inviting a victim, or sharing a post
2. As attacker you have to create an account, like any other users you will confirm the email that you have access to, its can be any emails that you have access to it
3. Now you need to change your next email address which is also owned by you, here is what the request look like:
POST /email/change HTTP/1.1
Host: app.target.com
Content-Type: application/x-www-form-urlencoded

email=yournextemail@mail.com&pass=mypassword
you should not confirm it for now, and send it to repeater for now
4. After attempting to change your email, you will receive a link from your email that allows you to completely change your email and verify your new email, here is also what the request look like:
POST /email/confirm?token=!@#asfAADS HTTP/1.1
Host: app.target.com
Send the email confirmation link to burpsuite’s repeater and do not confirm it
5. There’s something you need to understand, the email confirmation token you received is for the email yournextemail@mail.com which already owned by you, and you haven’t confirmed the email yet, don’t forget it
6. In the email change request, change the email to any other emails which not owned by you and you want to use it as a fake email eg fakemail@mail.com
7. burpsuite allows you to submit both email change request and email confirm request in parallel by adding them to a single group, so what you do then is submitting the request for confirm your email yournextemail@mail.com which contains the email confirm token and the request of changing your email to fakemail@mail.com , once you submitted both requests in parallel, you will confirm fakemail@mail.com on your account without having access to the email, and that’s how the email confirm bypass works

What is going on?

Due to the parallel nature of these requests, there is a time window where the system might process the requests in an unpredictable manner.

If the system processes the email change request (victim@mail.com) before it processes the email confirmation request for attacker2@mail.com, the attacker can end up confirming the victim@mail.com address, despite it not being the intended email for verification. (ChatGPT said…)

But why is that matter when you can have my next stories??? don’t forget to catch my stories and follow me on twitter: siratsami71
Wish you all the best, sorry for shitty english.