Race Condition Vulnerability to bypass email confirmation

Sirat Sami (analyz3r)
3 min readJun 28, 2024

--

Who am I?

My name is Sirat, 23yo, independent security researcher at H1 platform.

The Story

Today I wanted to share a interesting and simply exploited Race Condition vulnerability which allowed attackers to bypass the email confirm that required for any users who want to invite other users to their organization.

My goal was to find a vulnerability that allows me to invite victims with fake email addresses and email addresses that not owned by me, and I have chose this goal because this kind of vulnerability can have a huge impact on the targets functionality.

While reading the story, you can learn of how I look for vulnerabilities and how to find this kind of vulnerabilities, so this is not only a story but also a resource of learning.

Understanding the target

Here is something that we need to know before exploiting the vulnerability and take a note about it:
1. The application allows us to register with any email address, and you are not required to confirm the email until you want to invite someone to your organization, so you need to confirm your email address only when you want to invite someone.
2. You cannot change your email address once you sent an invite, since your email address will be displayed for the invited user and this is due to not allow attackers to use fake emails.
3. Along with those restrictions, you can always change your email address at any moment, except if you already have invited someone.

By understanding these 3 points, if you are a race condition lover, you will definitely think of race condition just like me, I thought about what happens if I try to send the invite to the victim with a verified email address but also change my email address at the same time which is only possible by exploiting a race condition, and if my email changed then the email will be displayed to the victim without confirming the email since the application doesn’t force you to confirm the email except when you have an active invite.

The Exploitation

This is a sample request of inviting the victim:

Now send this request to burpsuite repeater but don’t submit the request or invite the victim, and here is a sample of email changing request:

Make sure you already have a confirmed email address on your account and send the email change request to repeater 4 times, now you have 5 tabs of requests, one of them is inviting the victim and others is changing the email address, create a group of them and send requests in parallel.
Here is what the requests look like behind the scenes:

As you see the application has invited the victim before the email changing process be done, and when the invite is done then the email is changed, This is allows the attacker to change the email before the application check for the email and this is how the evasion works…

From the victims window if you visit invitations page, you can see the attacker has invited you with a fake email attackers-fake-email@mail.com
And yes, we finally able to invite victims with fake email addresses…

Wish you all best and hope you enjoyed the story ❤
https://twitter.com/siratsami71

--

--

Responses (3)