Skip to content

Instantly share code, notes, and snippets.

@superboy-zjc

superboy-zjc/open-event-server.md

Last active March 24, 2025 01:18
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save superboy-zjc/bc46e100a8bfc69dcdfbff2e8bee7edb to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save superboy-zjc/bc46e100a8bfc69dcdfbff2e8bee7edb to your computer and use it in GitHub Desktop.
Download ZIP
Logic vulnerability in open-event-server, leading to email verification bypass
Raw
open-event-server.md

Logic vulnerability in open-event-server, leading to email verification bypass

Summary

Open event server is vulnerable to email verification bypass. Attackers can arbitrarily register any email address as account with verified status.

Proof of Concept

  • Attacker first registers an account with their own email address and verify it

  • Attacker create a group with an arbitrary name image

  • Attacker invite an email-to-compromise, say admin@jhu.edu, to this just created group. image

  • Attacker can get invitation token from the http response image

  • Attacker create an account with email admin@jhu.edu with unverified status image image

  • Attacker crafts and accesses invitation accept link with the token: http://proof-of-concept:4200/group-invites?token=44556328039204036848740965298508996364, then we can see the email successfully verified. image

Root Cause

Developer assumes that the invitation link is clicked through invitee's email inbox, thus can be considered a email verification process. However, the token can also be obtained from the inviter. The logic flaw leads to email verification bypass.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment