Authorization / Email Verification Bypass

Description

Email verification bypass is an authorization vulnerability that occurs when a system does not properly check that emails are verified when a user attempts to log in (CWE-287). This vulnerability is present in both web applications and APIs (OWASP Testing Guide).

When a user is attempting to create an account, they are typically required to verify their email address. If the verification process is improperly configured, an attacker can bypass the verification step and gain access to the system.

Risk

This vulnerability can lead to significant risks, as attackers can then misuse the system by altering or deleting data, or by creating accounts that can be used to further their malicious activity. The risk of this vulnerability should be assessed depending on the type of data that the system is protecting and the potential consequences of its misuse.

Solution

The solution to this vulnerability is to properly configure the verification process. This can include ensuring that email verification is required and that the verification link is only valid for a certain timeframe, and that users attempting to access the system must have a valid email address.