- Status Closed
- Assigned To No-one
- Private
Opened by 0xEsso - 26.10.2025
Last edited by cbay - 27.10.2025
FS#234 - Bypassing Mandatory Credit Card Validation via Google OAuth Registration Flow
Description: The registration page at https://www.alwaysdata.com/en/register/ requires mandatory credit card validation ("Validation par carte bancaire") to proceed, as noted in the warning: "Pour continuer l'inscription et afin de limiter les abus vous devez impérativement valider une carte bancaire." This is likely an abuse prevention measure.
However, the Google OAuth flow at https://www.alwaysdata.com/oauth/google/login/ allows bypassing this requirement. By signing in with a Google account and completing the CAPTCHA, I created a new account without providing or validating a credit card.
Steps to Reproduce: 1. Visit https://www.alwaysdata.com/en/register/.
2. Observe the mandatory credit card validation step ("Valider ma carte" button).
3. Navigate to https://www.alwaysdata.com/oauth/google/login/.
4. Sign in with a Google account .
5. Confirm the creation of a new account without credit card validation.
Impact: - This allows bypassing the intended abuse prevention mechanism, potentially enabling multiple free account creations without validation.
- The impact is limited to potential resource consumption (e.g., bandwidth, storage) if scaled, with no access to customer data or core platform architecture.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
Credit card validation is only applied in some cases, not in all cases. It's not applied for OAuth sign up, for instance.
Kind regards,
Cyril