$3750 Bounty: Account Creation with Invalid Email Addresses
1 min read
Summary
HackerOne has detailed a vulnerability in the organisation’s account creation process that allowed invalid email addresses to be used.
The issue, which earned the reporter a $3,750 bounty, relates to problems that can be caused when unexpected symbols are used in email addresses, including breaking deliverability, triggering parsing errors and potentially enabling injection attacks.
Such vulnerabilities may give hackers opportunities for illicit activity and allow them deeper access to companies’ systems.
The disclosure shares lessons on the importance of validating email addresses to ensure they follow correct formats and fit standardised norms to avoid such issues.
The post also alerts developers to the necessity of careful consideration of all inputs to prevent potentially malicious behaviour.
It also notes that in this case, the HackerOne team had the vulnerability resolved within just two hours of its reporting.