www.komunalny.pl registration issue - predictable verification url

07 Feb 2021

Website:

https://www.komunalny.pl - you can register an account to any email address, cause verification link which sended by email is predictable

Risk [low level]:

An attacker was able to create an account in behalf of unaware victim and verify the account by sending prepared GET request with predicted query params. In result the victim could be spammed with unsolicited content via komunalny.pl newsletter or even by vendor marketing emails.

Description:

First we are submitting the registration form:

Registration form

The verification link sended after submition has an easy to guess structure:

https://portalkomunalny.pl/?aa=1&id=INTEGER

eg: https://portalkomunalny.pl/?aa=1&id=123

In this link:

we have a static aa query param with value 1
we have id query param with iterated integers reflecting user ids

Email source with a verification link

Solution:

Right now verification link isn’t properly secured with unpredictable (hard to guess) token, which will be unique for every submitted registration request and checked server-side. Do recommend adding such a token to verification link and check it later on backend.

Timeline:

- 07-02-2021: Discovered
- 08-02-2021: Vendor notified
- 10-02-2021: Vendor replied
- ... : Issue resolved