Medium

lunary

Email Validation Bypass via Dot Character

A vulnerability in versions <=v1.2.11 allows attackers to create multiple accounts using variations of the same email address by inserting dot characters. This issue was patched in a subsequent release.

Available publicly on Jun 16 2024

5.3

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Credit:

h2oa
Threat Overview

The vulnerability arises from improper email validation, allowing attackers to create multiple accounts using the same email address with variations that include dot characters. This can lead to account duplication and potential abuse of the system, as the server fails to recognize these variations as the same email address.

Attack Scenario

An attacker registers an account with the email attacker123@gmail.com. They then register another account with the email attacker.123@gmail.com. Due to the improper email validation, the system treats these as two distinct accounts, allowing the attacker to bypass restrictions and potentially exploit the system.

Who is affected

Users of the software version <=v1.2.11 are affected, particularly those relying on email-based account creation and validation.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.