How I found the silliest logical vulnerability for $750 that no one found for 3 years

Sometimes even a well-tested program can have silly vulnerabilities, such as this one, a private program which I was invited and it was tested for 3 years, lots of lots of vulnerabilities even critical ones were reported, from SQL-i to XSS, Deserialization and whatnot, nobody reported a vulnerability for over 1 year, but after spending 3 days on it I found this really silly bug which even the team behind the software said, and I quote:

Vendor: I am very surprised to find such a simple vulnerability in this addon. This will be addressed by our development team. Thank you very much for your report.

the vulnerability was in a plugin, the program mentioned that you can find vulnerabilities in their plugins too

the vulnerability was Email blacklist bypass

in a certain plugin, they’ve introduced a feature to prevent usage of free mailing services such as temp mails, gmails, yahoo, etc.

I’m sure you’ve encountered examples of such mechanism in websites which prevent you from complete registration when you use a johndoe@gmail.com well they mostly are using a list of known domains which provide free mailing service and if the domain part of you’re email johndoe@domain.com is using one of the blacklisted domains, then you can’t register.

since the program was open-source and I was reading through to make sure there were no implementation flaws I came across this subroutine

Did you found the vulnerability?

as mentioned in the added comments, the application is taking the user email address for example batman@gmail.com, and then checking to see if the domain part of the email is on the black-list

now if we input an email address which it’s domain part is not included in the blacklist, it’s not actually a bypass, but if we use a restricted domain and the application allows it, then that’s a bypass, so let's add some comments

as you can see the application is using the PHP in_array function which is actually a CASE-Sensitive check and vulnerable to case checking, meaning that we can change the batman@gmail.com to batman@GMAIL.com and the in_array function returns false when checking if the domain is blacklisted.

As I mentioned the vendor response was this:

Vendor: I am very surprised to find such a simple vulnerability in this addon. This will be addressed by our development team. Thank you very much for your report.

A simple vulnerability yet no one was looking for after 3 years of hunters testing it.

I got rewarded 750$ for this bypass

hope you all enjoyed this write-up, see you next time

-Sina

My Twitter: https://twitter.com/SinSinology

My Linked-In: https://www.linkedin.com/in/sina-kheirkhah-879860213/

Other Writeups: https://sinsinology.medium.com/

i enjoy finding bugs and i feel really great when i share my Knowledge and Learn Something New, So Be It

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Should I Block Entire Countries From Accessing My Website For More Qualified Traffic?

BitUniverse & AGI Giveaway Winners Announcement!

Putting the Human Being in Security Planning | Home land security USA

Update: Dexpad supports multiple routers

The hacker who hacked the #CreamFinance #DeFiprotocol transferred 97% of the stolen amount to the…

Up Your Password Game for the Security Apocalypse

Hunting for Low-Hanging Fruit in applications at AWS environments

CAN QUANTUM COMPUTERS BREAK ENCRYPTION?

Article about the use of Quantum Computers breaking encryption by Code TECHNIQ

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sina Kheirkhah (SinSin)

Sina Kheirkhah (SinSin)

i enjoy finding bugs and i feel really great when i share my Knowledge and Learn Something New, So Be It

More from Medium

Bug Bounty Methodology - Web Vulnerabilities Checklist

Leaked Database of CGG Website: GOVT- BUG (CRITICAL)

Subdomain Takeover Via Flywheel

Research on Log4JShell-CVE-2021–44228-Cyber Sapiens Internship Task-7